AWS certified developer associate hints. Monitoring and audit, Encryption, Cognito (part VI)
Monitoring and Audit
Monitoring
- CloudWathcMetrics: Collect metrics
- CloudWatchLogs: Collect, monitor and analyze logs
- CloudWatchEvents: Send notifications
- CloudWatchAlarms: React in real-tome to metrics and events
AWS X Ray:
- Troubleshooting performance and errors
- Tracing of micro services
AWS CloudTrail:
- Internal monitoring of API calls
- Audit changes to AWS resources by users
CloudWatch metrics
EC2 standard monitoring:
- Default every 5 mins for EC2, can be switched to “Detailed” ($) to “1 min”
- Free tier allows us to have 10 detailed monitoring metrics
- Memory RAM usage is not pushed
CloudWatch custom metrics
Pushed using API call PutMetricData.
Ability to use dimensions (instance.id, environment.name).
Metric resolution:
- standard 1 minute
- high resolution 1/5/10/30 seconds ($)
Accepts future timestamps.
CloudWatch Logs
- Log groups: usually represent application
- Log streams: instance within application log file/container
- Expiration policy never, expire 30 days etc
CloudWatch logs can send logs using subscription filters:
- amazon s3 -> export
- Kinesis data strams
- Kinesis data firehose
- AWS lambda
- Open search
Sources:
- SDK, agent
- Elastic beanstalk
- ECS
- AWS Lambda
- VPC flow logs
- API gateway
- CloudTrail
- Route53
Cloud Logs insights, query logs and add them to dashboard.
CloudWatch agent - old one, collect only logs.
CloudWatch unified agent - new one, can collect logs and metrics (RAM usage, CPU, Disk I/O, Netstat, Swap)
Cloud watch logs Metric filter
- find IP
- find word “error”
- metric filter can be used to trigger cloud watch alarms
Metric filter search for string match in logs, once it trigger threshold it might trigger a CloudWatch Alarm.
Conditions are described in the Alarm.
CloudWatch Alarm
There are 3 states:
- ok
- insufficient data
- alarm
Alarm target:
- ec2 (start/stop/reboot)
- ec2 auto scaling (up/down)
- Amazon SNS
Composite alarms - combining alarms (AND and OR conditions).
Alarms set on high-resolution custom metric can be triggered once per 10 seconds.
CloudWatch Synthetic Canary
Written script in nodejs or python that change AWS Route53 DNS, based on alarms
Amazon EventBridge
Next generation of CloudWatch Events.
Default Event Bus - generated by AWS.
Partner Event Bus - generated by SaaS services.
Custom Event Bus - your own.
AWS X-Ray
Tracing request, tracing is made of segments and subsegments.
Segments - each app will send them.
Subsegment - if u need more details in the segment.
Trace - segments collected together to form and end-to-end trace.
Sampling: decrease the amount of request sent to x-ray, reduce costs.
Anotations - key value pairs used to index traces and use with filters.
Metadata - key value pairs, not indexed, not used for search.
Sampling rules using revisor(how many) and rate(how many % after revisor).
Compatibility:
- AWS lambda
- AWS beanstalk
- ECS
- ELB
- API gateway
- EC2
How to enable X-Ray?
- Enable IAM role
- Import AWS x-ray SDK
- Application SDK
- Install x-ray demon
X-ray instrumentation - the measure of product’s performance, diagnose errors and write trace information, x-ray sdk is needed
X-Ray with elastic beanstalk
For single docker container:
- Correct IAM permission X-ray agent
- Requires .ebextension/xray-daemon.config
option_settings:
aws:elasticbeanstalk:xray:
XRayEnabled: true
ECS + X-Ray
Demon container for x-ray, one demon per ec2 instance.
X-ray as a side-car, one demon per container.
Fargate support only side car.
AWS CloudTrail
Provide governance and compliance and audit for AWS account.
Enabled by default.
Get history of events, API calls made within our account using:
- Console
- CLI
- SDK
- AWS services
Possible to store in the s3 bucket for more then 90 days:
- Management events (read/right)
- Data events (not valued by default, e.g. s3 event)
- AWS lambda
- Cloud trail insight, paid service
CloudTrail insight
- inaccurate resource planing
- hitting sevice limit
- burst of aws iam actions
- gaps in periodic maintenance activity
- Send to s3 and event bridge
Encryptions
Encryption in flight - ssl/https.
Encryption at rest or (Server-Side Encryption) - save encrypted data in AWS.
Encryption client side - transfer encrypted data and decrepit on the client.
KMS
Symmetric AES-256 - one key for encryption and decryption.
Asymmetric - RSA & ECC - key pairs.
Key types
- AWS owned - sse-s3, sse-sqs - default keys for services
- AWS managed - aws + service name aws/ebs, aws/rds
- Custom managed created in KMS
- Custom managed imported (only symmetric)
Keys are possible to share with another account for decryption. To control access to your KMS keys you can use KMS key policies (user/account/federated user).
Principal: { AWS: “1222” }
Principal: { AWS: “1222:root” }
Principal: { AWS: “1222:assumed-role/role-name/xxx” }
Principal: { AWS: “1222:user/xxx” }
Principal: { Federated: “cognito” }
Principal: { Federated: “saml” }
Principal: { Service: [
“ecs.amazonaws.com”, “elasticloadbalancing.amazonaws.com”
]
}
In IAM role condition aws:SecureTransport
allow you to enforce SSL requests to objects stored in S3 bucket
Envelop encryption
Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key.
Use KMS keys to generate, encrypt, and decrypt the data keys that you use outside of AWS KMS to encrypt your data.
When we have more than 4kb file DEK (data encryption key):
API :
GenerateDataKey -> generate DEK
Encrypt -> using DEK
Decrypt -> we pass encrypted DEK
Data key is possible to cache using LocalCryptoMaterialCache
KMS qoutas
Shared quotas for API usage depends on region, 5 -10k, possible to increase by opening ticket.
KMS lambda integration
- Use env variable
- Encrypt value with kms key
- decrypt it in lambda function body by calling KMS service
- permission is needs to be granted to KMS call
S3 Bucket key for SSE-KMS encryption
Stores the key in the bucket to KMS service.
Cloud HSM
Dedicated hardware HSM = hardware security module.
Both symmetric and asymmetric.
Key is blocked if accessed.
AWS KMS connects to CloudHSM keys usage is logged in cloud trail.
Has MFA support.
SSM parameter store
- Consumer needs an IAM role
- Store params in hierarchy.
- Possible Strings and SecureStrings using KMS
- Standard tier 4kb
- Advanced tier 8kb and policies (ttl)
AWS Secret manager
- Rotation of secrets(up to 365 days) using lambda functions and integration with RDS, redshift, DocumentDB.
- ManageMasterUserPassword=true adds secret manager to cloudformation.
CloudWatch logs encryption
- Possible with KMS key
- Encryption used for log groups
- Possible only with API (associate-key)
CodeBuild Security
- ENV variable can be a parameter store or secret manager
- IAM role must be provided
AWS Nitro Enclaves
Isolated environment, no ssh access, cryptographic attestation.
Used Nitro Hypervisor and secure local channel.
Cognito
Cognito user pools
- sign in functionality app users
- good integration with API gateway and ALB
Cognate user pull: login with email(phone) and password (with requirement) + mfa.
Federated identity providers : google|Facebook, saml, 2fa.
Login/signup/Token lambda trigger.
Adaptive authentication - MFA for suspicious login.
Congnito Identity pool (federated identity)
Get identifies for users so they obtain temp AWS credentials:
- public providers (Amazon, google, facebook)
- cognito user pools
- openID connect providers & SAML
- custom login
- guest users