AWS certified developer associate hints. Monitoring and audit, Encryption, Cognito (part VI)

Monitoring and Audit

Monitoring

  • CloudWathcMetrics: Collect metrics
  • CloudWatchLogs: Collect, monitor and analyze logs
  • CloudWatchEvents: Send notifications
  • CloudWatchAlarms: React in real-tome to metrics and events

AWS X Ray:

  • troubleshooting performance and errors
  • Tracing of micro services

AWS CloudTrail:

  • Internal monitoring of API calls
  • Audit changes to AWS resources by users

CloudWatch metrics

EC2 standard monitoring:

  • Default every 5 mins for EC2, can be switched to “Detailed” ($) to “1 min”
  • Free tier allows us to have 10 detailed monitoring metrics
  • Memory RAM usage is not pushed

CloudWatch custom metrics

Pushed using API call PutMetricData.

Ability to use dimensions (instance.id, environment.name).

Metric resolution:

  • standard 1 minute
  • high resolution 1/5/10/30 seconds ($)

Accepts future timestamps.

CloudWatch Logs

  • Log groups: usually represent application
  • Log streams: instance within application log file/container
  • Expiration policy never, expire 30 days etc

CloudWatch logs can send logs using subscription filters:

  • amazon s3 -> export
  • Kinesis data strams
  • Kinesis data firehose
  • AWS lambda
  • Open search

Sources:

  • SDK, agent
  • Elastic beanstalk
  • ECS
  • AWS Lambda
  • VPC flow logs
  • API gateway
  • CloudTrail
  • Route53

Cloud Logs insights, query logs and add them to dashboard.

CloudWatch agent - old one, collect only logs.

CloudWatch unified agent - new one, can collect logs and metrics (RAM usage, CPU, Disk I/O, Netstat, Swap)

Cloud watch logs Metric filter

  • find IP
  • find word “error”
  • metric filter can be used to trigger cloud watch alarms

Metric filter search for string match in logs, once it trigger threshold it might trigger a CloudWatch Alarm.

Conditions are described in the Alarm.

CloudWatch Alarm

There are 3 states:

  • ok
  • insufficient data
  • alarm

Alarm target:

  • ec2 (start/stop/reboot)
  • ec2 auto scaling (up/down)
  • Amazon SNS

Composite alarms - combining alarms (AND and OR conditions).

Alarms set on high-resolution custom metric can be triggered once per 10 seconds.

CloudWatch Synthetic Canary

Written script in nodejs or python that change AWS Route53 DNS, based on alarms

Amazon EventBridge

Next generation of CloudWatch Events.

Default Event Bus - generated by AWS.

Partner Event Bus - generated by SaaS services.

Custom Event Bus - your own.

AWS X-Ray

Tracing request, tracing is made of segments and subsegments.

Segments - each app will send them.

Subsegment - if u need more details in the segment.

Trace - segments collected together to form and end-to-end trace.

Sampling: decrease the amount of request sent to x-ray, reduce costs.

Anotations - key value pairs used to index traces and use with filters.

Metadata - key value pairs, not indexed, not used for search.

Sampling rules using revisor(how many) and rate(how many % after revisor).

Compatibility:

  • AWS lambda
  • AWS beanstalk
  • ECS
  • ELB
  • API gateway
  • EC2

How to enable X-Ray?

  • Enable IAM role
  • Import AWS x-ray SDK
  • Application SDK
  • Install x-ray demon

X-ray instrumentation - the measure of product’s performance, diagnose errors and write trace information, x-ray sdk is needed

X-Ray with elastic beanstalk

For single docker container:

  • Correct IAM permission
X-ray agent
  • Requires .ebextension/xray-daemon.config
option_settings:
    aws:elasticbeanstalk:xray:
 XRayEnabled: true

ECS + X-Ray

Demon container for x-ray, one demon per ec2 instance.

X-ray as a side-car, one demon per container.

Fargate support only side car.

AWS CloudTrail

Provide governance and compliance and audit for AWS account.

Enabled by default.

Get history of events, API calls made within our account using:

  • Console
  • CLI
  • SDK
  • AWS services

Possible to store in the s3 bucket for more then 90 days:

  • Management events (read/right)
  • Data events (not valued by default, e.g. s3 event)
  • AWS lambda
  • Cloud trail insight, paid service

CloudTrail insight

  • inaccurate resource planing
  • hitting sevice limit
  • burst of aws iam actions
  • gaps in periodic maintenance activity
  • Send to s3 and event bridge

Encryptions

Encryption in flight - ssl/https.

Encryption at rest or (Server-Side Encryption) - save encrypted data in AWS.

Encryption client side - transfer encrypted data and decrepit on the client.

KMS

Symmetric AES-256 - one key for encryption and decryption.

Asymmetric - RSA & ECC - key pairs.

Key types

  • AWS owned - sse-s3, sse-sqs - default keys for services
  • AWS managed - aws + service name aws/ebs, aws/rds
  • Custom managed created in KMS
  • Custom managed imported (only symmetric)

Keys are possible to share with another account for decryption
To control access to your KMS keys you can use KMS key policies (user/account/federated user).

Principal: { AWS: “1222” }
Principal: { AWS: “1222:root” }
Principal: { AWS: “1222:assumed-role/role-name/xxx” }
Principal: { AWS: “1222:user/xxx” }
Principal: { Federated: “cognito” }
Principal: { Federated: “saml” }
Principal: { Service: [
 “ecs.amazonaws.com”, “elasticloadbalancing.amazonaws.com”
]
 }

In IAM role condition aws:SecureTransport allow you to enforce SSL requests to objects stored in S3 bucket

Envelop encryption

When we have more than 4kb file
DEK (data encryption key)

API :
GenerateDataKey -> generate DEK
Encrypt -> using DEK
Decrypt -> we pass encrypted DEK

Data key is possible to cache using LocalCryptoMaterialCache

KMS qoutas

Shared quotas for API usage depends on region, 5 -10k, possible to increase by opening ticket.

KMS lambda integration

  • Use env variable
  • Encrypt value with kms key
  • decrypt it in lambda function body by calling KMS service,
  • permission is needs to be granted to KMS call

S3 Bucket key for SSE-KMS encryption

Stores the key in the bucket to KMS service.

Cloud HSM

Dedicated hardware HSM = hardware security module.

Both symmetric and asymmetric.

Key is blocked if accessed.

AWS KMS connects to CloudHSM keys usage is logged in cloud trail.

Has MFA support.

SSM parameter store

  • Consumer needs an IAM role
  • Store params in hierarchy.
  • Possible Strings and SecureStrings using KMS
  • Standard tier 4kb
  • Advanced tier 8kb and policies (ttl)

AWS Secret manager

  • Rotation of secrets(up to 365 days) using lambda functions and integration with RDS, redshift, DocumentDB.
  • ManageMasterUserPassword=true adds secret manager to cloudformation.

CloudWatch logs encryption

  • Possible with KMS key
  • Encryption used for log groups
  • Possible only with API (associate-key)

CodeBuild Security

  • ENV variable can be a parameter store or secret manager
  • IAM role must be provided

AWS Nitro Enclaves

Isolated environment, no ssh access, cryptographic attestation.

Used Nitro Hypervisor and secure local channel.

Cognito

Cognito user pools

  • sign in functionality app users
  • good integration with API gateway and ALB

Cognate user pull: login with email(phone) and password (with requirement) + mfa.

Federated identity providers : google|Facebook, saml, 2fa.

Login/signup/Token lambda trigger.

Adaptive authentication - MFA for suspicious login.

Congnito Identity pool (federated identity)

Get identifies for users so they obtain temp AWS credentials:

  • public providers (Amazon, google, facebook)
  • cognito user pools
  • openID connect providers & SAML
  • custom login
  • guest users