Module 8 INFO-636

Securing Cloud Infrastructure

Logging and monitoring
1
Agenda – Module 8
Topic Duration

Lecture 75 mins

Demonstration Security hub 15 mins

Quiz 30 mins
(Due Friday Aug2nd 11:59PM) 2 attempts

Revision time / Break 10 mins

Lab 5.1 - Encrypting Data at Rest by Using AWS KMS 60 mins

(Due Friday Aug4th 11:59 PM) unlimited attempts

Total 175 mins

2
Module overview
■ Importance of logging and monitoring
■ Capture and collect
■ AWS services with built-in logs
■ Monitor and report
■ Best practices for logging and monitoring
■ Additional AWS services for logging and monitoring

3
Module Objectives
At the end of this module, you should be able to do the following:
Log and monitor access and control to help identify security threats.

Read and interpret log reports to identify security threats.

Monitor and report on your Amazon Web Services (AWS) resources and applications.

Recognize when to use Amazon CloudWatch and when to use AWS CloudTrail.

4
Shared responsibility model

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 5
AWS SIMPLE SOLUTION EXAMPLE

Networking Compute Database Storage

AWS Cloud

Virtual Private Cloud (VPC)

Amazon
Database
Users Amazon S3

Amazon EC2

6
 SERVICES CATALOG
Compute services – Storage services – Management and
• Amazon EC2 • Amazon S3 Governance services –
• AWS Lambda • Amazon S3 Glacier • AWS Trusted Advisor
• AWS Elastic Beanstalk • Amazon EFS • AWS CloudWatch
• Amazon EC2 Auto Scaling • Amazon EBS • AWS CloudTrail
• Amazon ECS • AWS Well-Architected Tool
• Amazon EKS Database services – • AWS Auto Scaling
• Amazon ECR • Amazon RDS • AWS Command Line Interface
• AWS Fargate • Amazon DynamoDB • AWS Config
• Amazon Redshift • AWS Management Console
• Amazon Aurora • AWS Organizations
Security, Identity, and
Compliance services – Networking and Content AWS Cost Management
• AWS IAM Delivery services – services –
• Amazon Cognito • Amazon VPC • AWS Cost & Usage
• AWS Shield • Amazon Route 53 Report
• AWS Artifact • Amazon CloudFront • AWS Budgets
• AWS KMS • Elastic Load Balancing • AWS Cost Explorer

7
 Section 1: INFO636:
Logging and Monitoring
Importance of logging and monitoring
8
What is logging?
● Logging is the collection and recording of activity and event
data.
○ Provided by the service itself
○ Provided by a secondary service
● Information logged will vary based on the service
conducting the logging.
● Common log elements:
○ Date and time of event
○ Origin of event
○ Identity of resources accessed 9
 Why is logging important?
● Logging provides a record of events, which is useful for
the following:
○ Troubleshooting
○ Auditing
○ Recordkeeping
○ Incident response and remediation
● Logs are a requirement for demonstrating compliance
with regulations, such as the following:
○ HIPAA
○ GDPR
○ LGPD 10
What is monitoring?

Monitoring is the continuous verification of the security and

performance of your resources, applications, and data.

11
Log Monitoring
What is Log monitoring:
Log monitoring is a process by which developers and administrators continuously
observe logs as they’re recorded. With log monitoring software, teams can collect
information and trigger alerts if something affects system performance and health.

12
Log Monitoring
How log monitoring facilitates log analytics

● Log monitoring and log analytics are related — but different — concepts that work in conjunction.
Together, they ensure the health and optimal operation of applications and core services.
● Whereas log monitoring is the process of tracking logs, log analytics evaluates logs in context to
understand their significance. This includes troubleshooting issues with software, services, applications,
and any infrastructure with which they interact. Such infrastructure includes multicloud platforms,
container environments, and data repositories.
● Log monitoring and analytics work together to ensure applications are performing optimally and to
determine how systems can improve.
● Log analytics also helps identify ways to make infrastructure environments more predictable,
efficient, and resilient. Together, they provide continuous value to businesses by providing a window
into issues and how to run systems optimally.

13
Log Monitoring
Benefits of log monitoring

Log monitoring helps teams to maintain situational awareness in cloud-native environments. This practice
provides myriad benefits, including the following:
● Faster incident response and resolution. Log monitoring helps teams respond to incidents faster and
discover issues before they affect end users.
● More IT automation. With clear insight into crucial system metrics, teams can automate more
processes and responses with greater precision.
● Optimized system performance. Log monitoring can reveal potential bottlenecks and inefficient
configurations so teams can fine-tune system performance.
● Increased collaboration. A single log monitoring solution benefits cloud architects and operators so
they can create more resilient multicloud environments.

14
Log Monitoring
Log monitoring use cases

● Infrastructure monitoring
● Application performance monitoring
● digital experience monitoring
● real-user monitoring
● Application security
● Business analytics
● cloud automation and orchestration

15
Best practices of logging and monitoring
1. Define your need to log and monitor
2. List what needs to be logged and how it needs to be monitored
3. Identify assets and events that need to be monitored
4. Determine the right solution for logging and monitoring
5. Design logging and monitoring systems with security in mind
6. Adopt orbanizationwide logging and monitoring policies
7. Establish active monitoring, alerting and incident response plan

Security teams need to build logging and monitoring programs that not only collect traditional operational metrics,
but are also capable of storing, analyzing, and even mitigating a variety of attacks.

16
AWS Monitoring tools
CloudTrail provides a record of actions taken within your environment. CloudTrail logs include information
such as the action type, identity of the user, and time and date of the action. With this information, you
can monitor who is doing what and when they are doing it.
CloudWatch, you can monitor your resources and applications in real time. CloudWatch provides you with
system-wide visibility into resource utilization, application performance, and operational health.
EventBridge EventBridge is a serverless service that uses events to connect application components
together, making it easier for you to build scalable event-driven applications. Use it to route events from
sources such as home-grown applications, AWS services, and third- party software to consumer
applications across your organization. EventBridge provides a simple and consistent way to ingest, filter,
transform, and deliver events so you can build new applications quickly.
AWS X-Ray is a service that collects data about requests that your application serves, and provides tools
that you can use to view, filter, and gain insights into that data to identify issues and opportunities for
optimization.
17
SECTION 1
KEY TAKEAWAYS Logging is the collection and recording of
activity and event data.
Monitoring is the continuous verification of the
security and performance of your resources,
applications, and data.
AWS provides several services that you can use
to log and monitor your resources.

18
 Section 2 INFO636:
Logging and Monitoring
Capture and collect
19
 AWS CloudTrail
● Assists you to enable governance and compliance, as well as operational
and risk auditing of your AWS account
● Records actions taken by a user, role, or AWS service as events
● Provides visibility of events in the CloudTrail console AWS CloudTrail
● Can be used to view, search, download, archive, analyze, and respond to
account activity across your AWS infrastructure

20
For more information, see AWS CloudTrail at https://aws.amazon.com/cloudtrail.
API security-relevant information

21
Activity: Reading a
Log File

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 22
Reading a log: Identity of the caller
{
"Records": [{
"eventVersion": "1.0",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDACKCEVSQ6C2EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/Jane",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Jane"
},
23
Reading a log: Time and origin of the
request
"eventTime": "2021-07-06T21:01:59Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "StopInstances",
"awsRegion": "us-east-2",
"sourceIPAddress": "203.0.113.176",
"userAgent": "ec2-api-tools 1.6.12.2",

24
Reading a log: Request parameters and response elements
"requestParameters": {
"instancesSet": {
"items": [{
"instanceId": "i-ebeaf9e2" } ] },
"force": false },
"responseElements": {
"instancesSet": {
"items": [{
"instanceId": "i-ebeaf9e2",
"currentState": {
"code": 64,
"name": "stopping" },
"previousState": {
"code": 16,
"name": "running" } } ] },
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 25
SECTION 2
CloudTrail helps you enable governance,
KEY TAKEAWAYS compliance, and auditing of your AWS account.
Actions taken by a user, role, or an AWS service
are recorded as events.
CloudTrail records important information about
each API call, including the identity of the caller,
time of the API call in UTC, and origin of the call.

26
 Section 3 INFO636:
Logging and Monitoring
AWS services with built-in logs
27
 Services with built-in logs: Amazon S3
● Amazon S3 provides detailed access request records through
Amazon S3 server access logging.
● Server access logs provide useful information for security and access
audits. Amazon Simple
Storage Service
● Server access logs can provide insight into your customer base and (Amazon S3)
assist you to understand your Amazon S3 bill.

For more information, see Logging Requests Using Server Access Logging in the Amazon S3 User
Guide at https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html. 28
 Services with built-in logs: Amazon VPC
● With VPC Flow Logs, you can capture information about inbound and
outbound IP traffic from the following:
○ VPC
○ Subnets
Amazon Virtual
○ Individual network interfaces Private Cloud
(Amazon VPC)
● Publish flow log data to CloudWatch or Amazon S3.
● Flow log data is collected outside of the path of your network traffic,
with no impact on throughput or latency.
For more information, see Logging IP Traffic with VPC Flow Logs in the Amazon VPC User Guide at
https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html. 29
 Services with built-in logs: ELB
ELB access logs capture detailed information about requests sent to
your load balancer.
Use access logs to analyze traffic patterns and for troubleshooting.
Elastic Load
ELB captures, compresses, and stores logs in a specified S3 bucket. Balancing (ELB)

For more information, see Access Logs for Your Application Load Balancer in the User Guide for Application
Load Balancers at
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html. 30
 Section 4 INFO636:
Logging and Monitoring
Monitor and report
31
Amazon CloudWatch
● Is a monitoring and observability service
● Provides a unified view of the operational health of your AWS
resources, applications, and services
● Collects metrics in the AWS Cloud and on premises Amazon
CloudWatch
● Can be used for infrastructure monitoring and troubleshooting
● Provides the ability to customize logs and events

32
Comparing CloudTrail and CloudWatch
AWS CloudTrail Amazon CloudWatch
Continuously monitors resource and
Continuously monitors and logs user activities
application performance
Useful for detecting anomalous service
Useful for compliance auditing, security
behavior, setting alarms, and discovering
analysis, and troubleshooting
insights

Helps you determine WHO performed WHAT Alerts you that an issue has occurred due to an
unauthorized action and WHEN they did it unauthorized action

When used together, you can create custom CloudWatch dashboards, alarms, and
notifications for key metrics and specific CloudTrail events.

33
SECTION 4 CloudWatch provides a unified view of the
KEY TAKEAWAYS operational health of your AWS resources,
applications, and services.
CloudWatch collects monitoring and operational
data as logs, metrics, and events.
CloudTrail monitors actions, and CloudWatch
monitors performance.
Create custom dashboards, alarms, and
notifications for key metrics.

34
 Logging and Monitoring

Section 4
Best practices for logging and monitoring
35
Best practices for logging and monitoring
● Define your organizational requirements for logs, alerts, and metrics.

● Configure service and application logging throughout your workload.

● Analyze your logs centrally.

36
 Section 5
INFO636:
Additional AWS services for logging and Logging and Monitoring
monitoring
37
 AWS Trusted Advisor
● Provides recommendations based on five categories of AWS best
practices: cost optimization, security, fault tolerance, service limits, and
performance improvement
● Evaluates your account to suggest improvements and optimizations for AWS Trusted
your resources Advisor

● Is accessible through the AWS Management Console and available to

all support tiers

For more information, see AWS Trusted Advisor in the AWS Support User Guide at
38
https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor.html.
Amazon EventBridge
● Is a serverless event bus service that is used to connect your
applications with data from a variety of sources
● Provides a stream of real-time data from applications and services
to targets, such as AWS Lambda or event buses Amazon
EventBridge
● Was formerly called Amazon CloudWatch Events

39
AWS Security Hub
● Aggregates security alerts from various AWS services and partner
products in a standardized format
● Collects data across accounts and checks cloud security posture
against AWS security best practices
AWS Security Hub
● Helps you to understand your overall security posture by using a
consolidated security score across all of your AWS accounts

40
AWS Config
● Helps to assess, audit, and evaluate the configurations of your AWS
resources
● Continuously monitors and records AWS resource configurations
AWS Config
● Provides automated evaluation of recorded configurations against
desired configurations

41
Demonstration: https://awsacademy.instructure.com/courses/51909/modules/items/4478957

Security Hub

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 42
 INFO636:
Module Wrap Logging and Monitoring

43
Module summary
In this module, you learned how to do the following:
■ Log and monitor access and control to help identify security threats.
■ Read and interpret log reports to identify security threats.
■ Monitor and report on your AWS resources and applications.
■ Recognize when to use CloudWatch and when to use CloudTrail.

44
BEGIN QUIZ

45
Lab: Monitoring and
Alerting with
CloudTrail and
CloudWatch

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 46
Lab: Tasks
1. Creating a CloudTrail trail with CloudWatch Logs enabled

2. Creating an SNS topic and subscribing to it

3. Creating an EventBridge rule to monitor security groups

4. Creating a CloudWatch alarm based on a metrics filter

5. Querying CloudTrail logs by using CloudWatch Logs Insights

47
Begin Lab: Monitoring and Alerting with CloudTrail and CloudWatch

Duration: 60 minutes

48
Lab debrief: Key
takeaways

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 49
THANK YOU

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.