Auditing with CloudTrail CSCS407 Assignment

Program: CS

Course: Cloud Security

Assignment 7:Auditing with CloudTrail

Name: ___________________________________

Register in AWS Skill Builder (https://explore.skillbuilder.aws/) with a free account and enroll in the course below. Complete the course. Then, answer the questions, providing enough details for them to be fully marked.

Course title: AWS CloudTrail Getting Started

Course ID: E-G03N30

Estimated time: 60 min

URL: https://explore.skillbuilder.aws/learn/course/internal/view/elearning/193/aws-cloudtrail-getting-started

Questions:

1. What types of actions are recorded as events in CloudTrail?


2. What information about API calls would you find in CloudTrail?


3. During a spike in the number of API calls your EC2 instances usually receive, what part of CloudTrail would help you identify this unusual activity?


4. How much back in time can you go to analyze logs?


5. CloudTrail Insight could identify a burst of AWS IAM management actions. Does it include brute-force attacks? Research about it and provide proof of your findings.


6. CloudTrail Lake is a managed data lake that helps organizations aggregate, immutably store, and query events recorded by CloudTrail for auditing, security investigation, and operational troubleshooting. Explain in detail what immutability is referred to and why it is important when investigating security incidents.


7. What types of events can you record with CloudTrail?


8. An EC2 instance deletes an object in a S3 bucket. What type of event would be recorded among the options in the previous question?


9. The EC2 instance is then stopped. What type of event would be recorded in this case?


10. You need to analyze logs related to events in the last month. Discuss whether this would be a free service or what cost would it have.


11. Explain the relationship between CloudTrail and CloudWatch.


12. Discuss best practices in regard to S3 buckets to store logs.


13. If your organization needed to comply with a log retention policy of 5 years, what would you need?


14. Name four attributes you can use in the Events history filter.


15. Write down the AWS CLI command to look for the last 50 console login events.