AWS CloudTrail

AWS CloudTrail is a web service that records activity made on users account and delivers log files to the Amazon S3 bucket. It enables governance, compliance, operational auditing, and risk auditing of users AWS account. With AWS CloudTrail, users can log, continuously monitor, and retain account activity related to actions across the AWS infrastructure.

AWS CloudTrail provides event history of users AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting. In addition, customers use AWS  CloudTrail to detect unusual activity in the AWS accounts. These capabilities help simplify operational analysis and troubleshooting.

  • Users can identify which end users and accounts called AWS for services that support AWS CloudTrail, the source IP address the calls were made from, and when the calls occurred.
  • Users can integrate AWS CloudTrail into applications using the API, automate trail creation for users organization, check the status of the trails, and control how administrators turn AWS CloudTrail logging on and off.
  • Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
  • Users can use CloudTrail to view, search, download, archive, analyze, and respond to account activity across the AWS infrastructure. Users can identify who or what took which action, what resources were acted upon, when the event occurred, and other details to help analyze and respond to activity in the AWS account.
AWS CloudTrail

AWS CloudTrail Benefits

With AWS CloudTrail, simplify users compliance audits by automatically recording and storing event logs for actions made within the AWS account. Integration with Amazon CloudWatch Logs provides a convenient way to search through log data, identify out-of-compliance events, accelerate incident investigations, and expedite responses to auditor requests.

AWS CloudTrail increases visibility into user and resource activity by recording AWS Management Console actions and API calls. users can identify which end users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred. Users can specify Time range and one of the following attributes: Event name, User name, Resource name, Event source, Event ID, and Resource type.

 

With AWS CloudTrail, users can discover and troubleshoot security and operational issues by capturing a comprehensive history of changes that occurred in the AWS account within a specified period of time. AWS CloudTrail will only show the results of the CloudTrail Event History for the current region users viewing for the last 90 days. These events are limited to management events with create, modify, and delete API calls and account activity.

AWS CloudTrail allows users track and automatically respond to account activity threatening the security of the AWS resources. With Amazon CloudWatch Events integration, users can define workflows that execute when events that can result in security vulnerabilities are detected. For example, users can create a workflow to add a specific policy to an Amazon S3 bucket when CloudTrail logs an API call that makes that bucket public.

Amazon Redshift Features

Event history

Users can view, search, and download the recent AWS account activity. This allows them to gain visibility into changes in the AWS account resources so they can strengthen the security processes and simplify operational issue resolution.

AWS CloudTrail event history provides a viewable, searchable, and downloadable record of the past 90 days of CloudTrail events. Users can use this history to gain visibility into actions taken in the AWS account in the AWS Management Console, AWS SDKs, command line tools, and other AWS services. Users can customize the view of event history in the AWS CloudTrail console by selecting which columns are displayed. 

A trail is a configuration that enables delivery of CloudTrail events to an Amazon S3 bucket, CloudWatch Logs, and CloudWatch Events. Users can use a trail to filter the CloudTrail events they want delivered, encrypt the CloudTrail event log files with an AWS KMS key, and set up Amazon SNS notifications for log file delivery. 

An organization trail is a configuration that enables delivery of AWS  CloudTrail events in the management account and all member accounts in an AWS Organizations organization to the same Amazon S3 bucket, CloudWatch Logs, and CloudWatch Events. Creating an organization trail helps define a uniform event logging strategy for users organization.

Integrations

AWS Lambda: Users can take advantage of the Amazon S3 bucket notification feature to direct Amazon S3 to publish object-created events to AWS Lambda. When AWS CloudTrail writes logs to your S3 bucket, Amazon S3 can invoke Lambda function to process the access records logged by AWS CloudTrail.

Amazon CloudWatch Logs: AWS CloudTrail integration with Amazon CloudWatch Logs enables users to send management and data events recorded by AWS CloudTrail to CloudWatch Logs. CloudWatch Logs allows users to create metric filters to monitor events, search events, and stream events to other AWS services, such as AWS Lambda and Amazon Elasticsearch Service.

Amazon CloudWatch Events: Amazon CloudWatch Events is an AWS service that delivers a near real-time stream of system events that describe changes in AWS resources. In CloudWatch Events, users can create rules that trigger on any event recorded by CloudTrail. AWS CloudTrail integration with Amazon CloudWatch Events enables users to automatically respond to changes to your AWS resources.

With CloudWatch Events, users are able to define actions to execute when specific events are logged by AWS CloudTrail. For example, if AWS CloudTrail logs a change to an Amazon EC2 security group, such as adding a new ingress rule, users can create a CloudWatch Events rule that sends this activity to an AWS Lambda function. Lambda can then execute a workflow to create a ticket in the IT Helpdesk system.

Data events

Data events provide information about the resource operations performed on or in a resource. These are also known as data plane operations. Data events are often high-volume activities. Data events are often high volume activities and include operations such as Amazon S3 object level APIs and AWS Lambda function invoke APIs. 

Users can log API actions on Amazon S3 objects and receive detailed information such as the AWS account, IAM user role, and IP address of the caller, time of the API call, and other details. Users can also record activity of your Lambda functions, and receive details on Lambda function executions, such as the IAM user or service that made the Invoke API call, when the call was made, and which function was executed. The following data types are recorded:

  • Amazon S3 object-level API activity (GetObjectDeleteObject, and PutObject API operations).
  • AWS Lambda function execution activity (the Invoke API).
  • Amazon S3 object-level API activity on AWS Outposts.
Management events

Management events provide information about management operations that are performed on resources in users AWS account. These are also known as control plane operations.  users can log administrative actions such as creation, deletion, and modification of Amazon EC2 instances. For each event, users can get details such as the AWS account, IAM user role, and IP address of the user that initiated the action, time of the action, and which resources were affected. Management events include:

  • Configuring security (IAM AttachRolePolicy API operations).
  • Registering devices (Amazon EC2 CreateDefaultVpc API operations).
  • Configuring rules for routing data (Amazon EC2 CreateSubnet API operations).
  • Setting up logging (AWS CloudTrail CreateTrail API operations).
 
CloudTrail Insights

AWS CloudTrail Insights identify unusual activity in AWS accounts, such as spikes in resource provisioning, bursts of AWS Identity and Access Management (IAM) actions, or gaps in periodic maintenance activity. Users can enable AWS CloudTrail Insights events across their AWS organization, or in individual AWS accounts in the AWS CloudTrail trails. If CloudTrail Insights events enabled, the AWS CloudTrail detects unusual activity, Insights events are logged to a different folder or prefix in the destination S3 bucket for the trail. 

Insights events provide relevant information, such as the associated API, incident time, and statistics, that help to understand and act on unusual activity. Unlike other types of events captured in a CloudTrail trail, Insights events are logged only when CloudTrail detects changes in users account’s API usage that differ significantly from the account’s typical usage patterns. Examples of activity that might generate Insights events include:

  • Users account typically logs no more than 20 Amazon S3 deleteBucket API calls per minute, but the account starts to log an average of 100 deleteBucket API calls per minute. An Insights event is logged at the start of the unusual activity, and another Insights event is logged to mark the end of the unusual activity.

  • Users account typically logs 20 calls per minute to the Amazon EC2 AuthorizeSecurityGroupIngress API, but the account starts to log zero calls to AuthorizeSecurityGroupIngress. An Insights event is logged at the start of the unusual activity, and ten minutes later, when the unusual activity ends, another Insights event is logged to mark the end of the unusual activity.

AWS CloudTrail Insights helps AWS users identify and respond to unusual volumes of API calls by continuously analyzing CloudTrail management events.

  • An Insights event is a record of unusual levels of write management API activity. The details page of an Insights event shows the event as a graph of unusual activity, and shows the start and end times of the unusual activity, along with the baseline that is used to determine whether the activity is unusual.
Multi-region configuration

Users can configure AWS CloudTrail to deliver log files from multiple regions to a single Amazon S3 bucket for a single account. A configuration that applies to all regions ensures that all settings apply consistently across all existing and newly launched regions. For users, who have different but related user groups, such as developers, security personnel, and IT auditors, they can create multiple trails per Region. This allows each group to receive its own copy of the log files. AWS CloudTrail supports five trails per Region. A trail that applies to all AWS Regions counts as one trail in every Region.

A trail can be applied to all Regions or a single Region. As a best practice, create a trail that applies to all Regions in the AWS partition in which you are working. A trail that applies to all AWS Regions has the following advantages:

  • The configuration settings for the trail apply consistently across all AWS Regions.
  • Users receive AWS CloudTrail events from all AWS Regions in a single Amazon S3 bucket and, optionally, in a CloudWatch Logs log group. 
  • Users manage trail configuration for all AWS Regions from one location.
  • Users immediately receive events from a new AWS Region. When a new AWS Region is launched, AWS CloudTrail automatically creates a copy of all of the Region trails for users in the new Region with the same settings as the original trail.
  • Users don’t need to create trails in AWS Regions that users don’t use often in order to monitor for unusual activity. Any activity in any AWS Region is logged in a trail that applies to all AWS Regions.
 
Log file integrity validation

Users can validate the integrity of AWS CloudTrail log files stored in the Amazon S3 bucket and detect whether the log files were unchanged, modified, or deleted since AWS CloudTrail delivered them to the Amazon S3 bucket. Users can use log file integrity validation in the IT security and auditing processes. Only events that match users trail settings are delivered to the Amazon S3 bucket and Amazon CloudWatch Logs log group. Users can perform more advanced tasks with AWS CloudTrail files.

  • Create multiple trails per region.
  • Monitor AWS  CloudTrail log files by sending them to CloudWatch Logs.
  • Share log files between accounts.
  • Use the AWS CloudTrail Processing Library to write log processing applications in Java.
  • Validate log files to verify that they have not changed after delivery by CloudTrail.
Log file encryption

By default, AWS CloudTrail encrypts all log files delivered to users specified Amazon S3 bucket using Amazon S3 server-side encryption (SSE). Optionally, add a layer of security to the CloudTrail log files by encrypting the log files with users AWS Key Management Service (AWS KMS) key. Amazon S3 automatically decrypts users log files if they have decrypt permissions. 

  • Server-Side Encryption – Request Amazon S3 to encrypt your object before saving it on disks in its data centers and then decrypt it when you download the objects.

  • Client-Side Encryption – Encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.

AWS CloudTrail Workflow

AWS CloudTrail captures AWS API calls and related events made by or on behalf of an AWS account and delivers log files to an Amazon S3 bucket that you specify. Using AWS CloudTrail’s console in the AWS Management Console, the AWS CLI, or the AWS CloudTrail API, users can create a trail, which specifies the bucket for log file delivery and storage. By default, log files are encrypted using Amazon S3 server-side encryption (SSE). Users can store log files in the bucket, but users can also define Amazon S3 lifecycle rules to archive or delete log files automatically. AWS CloudTrail typically delivers log files within 15 minutes of an API call. 

View event history for AWS account: Users can view and search the last 90 days of events recorded by AWS CloudTrail in the CloudTrail console or by using the AWS CLI. For more information, see Viewing Events with CloudTrail Event History.

Download events: Users can download a CSV or JSON file containing up to the past 90 days of CloudTrail events for the AWS account. 

Create a trail: A trail enables AWS CloudTrail to deliver log files to the Amazon S3 bucket. By default, when creating a trail in the console, the trail applies to all regions. The trail logs events from all regions in the AWS partition and delivers the log files to the S3 bucket that users specify. 

Create and subscribe to an Amazon SNS topic: Subscribe to a topic to receive notifications about log file delivery to the bucket. Amazon SNS can notify users in multiple ways, including programmatically with Amazon Simple Queue Service.

View your log files: Use Amazon S3 to retrieve log files. For information, see Getting and Viewing Your CloudTrail Log Files.

Manage user permissions: Use AWS Identity and Access Management (IAM) to manage which users have permissions to create, configure, or delete trails; start and stop logging; and access buckets that have log files. 

Monitor events with CloudWatch Logs: Users can configure the trail to send events to CloudWatch Logs. Users can then use CloudWatch Logs to monitor your account for specific API calls and events. 

Log management and data events: Configure trails to log read-only, write-only, or all management and data events. By default, trails log management events. 

Log CloudTrail Insights events: Configure trails to log Insights events to help users identify and respond to unusual activity associated with write management API calls. If trail is configured to log read-only or no management events, users cannot turn on AWS CloudTrail Insights event logging.

Enable log encryption: Log file encryption provides an extra layer of security for the log files. 

Enable log file integrity: Log file integrity validation helps verifying log files have remained unchanged since CloudTrail delivered them. 

Share log files with other AWS accounts: Users can share log files between accounts. For more information, see Sharing CloudTrail Log Files Between AWS Accounts.

Aggregate logs from multiple accounts: Users can aggregate log files from multiple accounts to a single bucket. 

Work with partner solutions: Analyze AWS CloudTrail output with a partner solution that integrates with CloudTrail. Partner solutions offer a broad set of capabilities, such as change tracking, troubleshooting, and security analysis.

Supported Services

#01

App Services

 
 
Amazon Simple Workflow Service

The Amazon Simple Workflow Service (Amazon SWF) makes it easy to build applications that coordinate work across distributed components. In Amazon SWF, a task represents a logical unit of work that is performed by a component of users application. Coordinating tasks across the application involves managing inter-task dependencies, scheduling, and concurrency in accordance with the logical flow of the application.

  • Amazon SWF gives users full control over implementing tasks and coordinating them without worrying about underlying complexities such as tracking their progress and maintaining their state.
  • Amazon SWF is supported by the AWS SDKs for Java, .NET, Node.js, PHP, PHP version 2, Python and Ruby, providing a convenient way to use the Amazon SWF HTTP API in the programming language.
  • Users can develop deciders, activities, or workflow starters using the API exposed by these libraries. By accessing visibility operations through these libraries, users can develop their own Amazon SWF monitoring and reporting tools.
Amazon Simple Queue Service 

Amazon Simple Queue Service (Amazon SQS) offers reliable and scalable hosted queues for storing messages as they travel between computers. By using Amazon SQS, users can move data between distributed components of the applications that perform different tasks without losing messages or requiring each component to be always available.

  • Amazon SQS offers common constructs such as dead-letter queues and cost allocation tags. It provides a generic web services API and it can be accessed by any programming language that the AWS SDK supports.
  • Amazon SQS and Amazon SNS are queue and topic services that are highly scalable, simple to use, and don’t require users to set up message brokers.
  • Amazon MQ is a managed message broker service that provides compatibility with many popular message brokers. 
Amazon Simple Notification Service

Amazon Simple Notification Service (Amazon SNS) is a web service that coordinates and manages the delivery or sending of messages to subscribing endpoints or clients.

Amazon CloudSearch 

Amazon CloudSearch is a fully-managed service in the cloud that makes it easy to set up, manage, and scale a search solution for users website. Amazon CloudSearch enables users to search large collections of data such as web pages, document files, forum posts, or product information. 

  • With Amazon CloudSearch, users can quickly add search capabilities without having to become a search expert or worry about hardware provisioning, setup, and maintenance. As the volume of data and traffic fluctuates, Amazon CloudSearch scales to meet the needs.
  • Users can use Amazon CloudSearch to index and search both structured data and plain text. Amazon CloudSearch features:

    • Full text search with language-specific text processing
    • Boolean search
    • Prefix searches
    • Range searches
    • Term boosting
    • Faceting
    • Highlighting
    • Autocomplete Suggestions
Amazon Elastic Transcoder

Amazon Elastic Transcoder lets users convert media files that stored in Amazon S3 into media files in the formats required by consumer playback devices. Elastic Transcoder has four components:

  • Jobs do the work of transcoding. Each job converts one file into up to 30 formats.
  • Pipelines are queues that manage users transcoding jobs. When creating a job, users specify which pipeline to add the job to.
  • Presets are templates that contain most of the settings for transcoding media files from one format to another. 
  • Notifications let users optionally configure Elastic Transcoder and Amazon Simple Notification Service to keep the apprised of the status of a job.
Amazon Zocalo

Amazon Zocalo is a fully managed enterprise storage and sharing service.Your files are stored in the cloud safely and securely. Amazon Zocalo also includes a synchronization application that keeps selected folders on users local computer in sync with the files in the cloud. Users files are visible to only users and to their designated contributors and viewers

AWS Direct Connect

Users can use AWS Direct Connect to establish a direct connection from their premises to AWS. This may reduce the network costs and increase bandwidth throughput. AWS Direct Connect links users internal network to an AWS Direct Connect location over a standard Ethernet fiber-optic cable. One end of the cable is connected to users router, the other to an AWS Direct Connect router. With this connection, users can create virtual interfaces directly to public AWS services or to Amazon VPC, bypassing internet service providers in the network path. The following are the key components for AWS Direct Connect:

  • Connections: Create a connection in an AWS Direct Connect location to establish a network connection from users premises to an AWS Region.
  • Virtual interfaces: Create a virtual interface to enable access to AWS services. A public virtual interface enables access to public services, such as Amazon S3. A private virtual interface enables access to your VPC. 
Amazon Elastic Compute Cloud (EC2) 

Amazon Elastic Compute Cloud (Amazon EC2) provides resizeable computing capacity in the AWS cloud. Users can launch as many or as few virtual servers as needed, configure security and networking, and manage storage. Amazon EC2 can also scale up or down quickly to handle changes in requirements or spikes in popularity, thereby reducing the need to forecast server traffic. Users can use Amazon EC2 to launch as many or as few virtual servers (instances) as needed, configure security and networking, and manage storage. 

  • An instance is a virtual server in the cloud. Its configuration at launch is a copy of the AMI that was specified when launching the instance.
  • An Amazon Machine Image (AMI) is a template that contains a software configuration. From an AMI, users launch an instance, which is a copy of the AMI running as a virtual server in the cloud. 
Elastic Load Balancing

Users can use Elastic Load Balancing to automatically distribute the incoming application traffic across multiple Amazon EC2 instances. Elastic Load Balancing automatically scales request handling capacity in response to incoming traffic.

  • A load balancer distributes workloads across multiple compute resources, such as virtual servers. Using a load balancer increases the availability and fault tolerance of the applications.
  • Users can add and remove compute resources from the load balancer as the needs change, without disrupting the overall flow of requests to the applications.
  • With load balancer, users can configure health checks, which monitor the health of the compute resources, so that the load balancer sends requests only to the healthy ones.
Amazon Virtual Private Cloud

Amazon Virtual Private Cloud (Amazon VPC) enables users to launch AWS resources into a virtual network. This virtual network closely resembles a traditional network that operate in users data center with the added benefit of using the scalable AWS infrastructure. Amazon VPC is the networking layer for Amazon EC2. The following are the key component for VPCs:

  • Virtual private cloud (VPC) — A virtual network dedicated to the AWS account.
  • Subnet — A range of IP addresses in VPC.
  • Route table — A set of rules, called routes, that are used to determine where network traffic is directed.
  • Internet gateway — A gateway that can be attached to VPC to enable communication between resources in your VPC and the internet. 
  • VPC endpoint — Enables users to privately connect the VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
  • CIDR blockClassless Inter-Domain Routing is an internet protocol address allocation and route aggregation methodology. 
Auto Scaling

Auto Scaling is a web service that enables users to automatically launch or terminate Amazon Elastic Compute Cloud (Amazon EC2) instances based on user-defined policies, health status checks, and schedules. Amazon EC2 Auto Scaling is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service using Amazon EC2 Auto Scaling.

  • CloudTrail captures all API calls for Amazon EC2 Auto Scaling as events. The calls captured include calls from the Amazon EC2 Auto Scaling console and code calls to the Amazon EC2 Auto Scaling API.

#02

Compute and Networking

 
 

 

#03

Deployment and Management

 
 
AWS CloudFormation

AWS CloudFormation enables users to create and provision AWS infrastructure deployments predictably and repeatedly. It helps leverage AWS products such as Amazon EC2, Amazon EBS, Amazon SNS, Elastic Load Balancing, and Auto Scaling to build highly reliable, highly scalable, cost-effective applications without worrying about creating and configuring the underlying AWS infrastructure.

  • AWS CloudFormation is a service that helps users model and set up the Amazon Web Services resources so that users focus on applications that run in AWS.
  • Users create a template that describes all the AWS resources, and AWS CloudFormation takes care of provisioning and configuring those resources for you.
  • Users don’t need to individually create and configure AWS resources and figure out what’s dependent on what; AWS CloudFormation handles all of that. 
AWS Elastic Beanstalk

Users can use AWS Elastic Beanstalk to quickly deploy and manage applications in the AWS cloud without worrying about the infrastructure that runs those applications. Amazon Web Services (AWS) comprises over one hundred services, each of which exposes an area of functionality. While the variety of services offers flexibility for how to manage your AWS infrastructure, it can be challenging to figure out which services to use and how to provision them.

  • With Elastic Beanstalk, users can quickly deploy and manage applications in the AWS Cloud without having to learn about the infrastructure that runs those applications.
  • Elastic Beanstalk reduces management complexity without restricting choice or control. Simply upload the application, and Elastic Beanstalk automatically handles the details of capacity provisioning, load balancing, scaling, and application health monitoring.
AWS Identity and Access Management

AWS Identity and Access Management (IAM) is a web service that enables AWS customers to manage users and user permissions. By using IAM, users can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users can access.

  • When creating an AWS account the first time, users begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that used to create the account.
AWS Security Token Service

Users can use the AWS Security Token Service (STS) to grant a trusted user temporary, limited access to the AWS resources. Temporary security credentials work almost identically to the long-term access key credentials that IAM users can use, with the following differences:

  • Temporary security credentials are short-term, as the name implies. They can be configured to last for anywhere from a few minutes to several hours. After the credentials expire, AWS no longer recognizes them or allows any kind of access from API requests made with them.
  • Temporary security credentials are not stored with the user but are generated dynamically and provided to the user when requested. When (or even before) the temporary security credentials expire, the user can request new credentials, as long as the user requesting them still has permissions to do so.
 
Amazon CloudWatch

Amazon CloudWatch monitors AWS resources and the applications that users run on AWS in real time. Users can use CloudWatch to collect and track metrics which are the variables users want to measure for the resources and applications. CloudWatch alarms send notifications or automatically make changes to the resources users are monitoring based on rules that was defined.

  • Amazon CloudWatch monitors AWS resources and the applications users run on AWS in real time. Users can use CloudWatch to collect and track metrics, which are variables you can measure for resources and applications.
AWS OpsWorks

AWS OpsWorks provides a simple and flexible way to create and manage stacks and applications. It supports a standard set of components—including application servers, database servers, load balancers, and more—that users can use to assemble your stack. These components all come with a standard configuration and are ready to run.

  • AWS OpsWorks is a configuration management service that helps configure and operate applications in a cloud enterprise by using Puppet or Chef.
  • AWS OpsWorks Stacks and AWS OpsWorks for Chef Automate let customers use Chef cookbooks and solutions for configuration management, while OpsWorks for Puppet Enterprise lets users configure a Puppet Enterprise master server in AWS.
  • Puppet offers a set of tools for enforcing the desired state of the infrastructure, and automating on-demand tasks.
AWS Key Management Service

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control customer master keys (CMKs), the encryption keys used to encrypt data. AWS KMS CMKs are protected by hardware security modules (HSMs) that are validated by the FIPS 140-2 Cryptographic Module Validation Program except in the China (Beijing) and China (Ningxia) Regions.

  • AWS KMS is integrated with most other AWS services including Amazon EBS, Amazon S3, and Amazon Redshift, that encrypt data. AWS KMS is also integrated with AWS CloudTrail to log use of CMKs for auditing, regulatory, and compliance needs. 
Amazon Relational Database Service

Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the cloud. It provides cost-efficient, resizeable capacity for an industry-standard relational database and manages common database administration tasks.

  • Amazon RDS provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks.
  • The basic building block of Amazon RDS is the DB instance. A DB instance is an isolated database environment in the AWS Cloud. Users DB instance can contain multiple user-created databases. 
  • Each DB instance runs a DB engine. Amazon RDS currently supports the MySQL, MariaDB, PostgreSQL, Oracle, and Microsoft SQL Server DB engines. Each DB engine has its own supported features, and each version of a DB engine may include specific features.
  • The computation and memory capacity of a DB instance is determined by its DB instance class. Users can select the DB instance that best meets needs.
Amazon Redshift

Redshift is a fast, fully managed, petabyte-scale data warehouse service that makes it simple and cost-effective to efficiently analyze all data by using users existing business intelligence tools. It is optimized for datasets that range from a few hundred gigabytes to a petabyte or more. An Amazon Redshift data warehouse is a collection of computing resources called nodes which are organized into groups called clusters. Each cluster runs an Amazon Redshift engine and contains one or more databases.

  • In Amazon Redshift, no loading or transformation is required, and customers can use open data formats, including Avro, CSV, Grok, Amazon Ion, JSON, ORC, Parquet, RCFile, RegexSerDe, Sequence, Text, Hudi, Delta and TSV.
  • Redshift Spectrum automatically scales query compute capacity based on the data retrieved, so queries against Amazon S3 run fast, regardless of data set size.
  • Amazon Redshift gives fast querying capabilities over structured data using familiar SQL-based clients and business intelligence (BI) tools using standard ODBC and JDBC connections. Queries are distributed and parallelized across multiple physical resources. 
Amazon ElastiCache

Amazon ElastiCache is a web service that makes it easy to set up, manage, and scale distributed inmemory cache environments in the cloud. It provides a high performance, resizable, and cost-effective in-memory cache, while removing the complexity associated with deploying and managing a distributed cache environment. 

  • Amazon ElastiCache allows users to seamlessly set up, run, and scale popular open-source compatible in-memory data stores in the cloud.
  • Amazon ElastiCache is a popular choice for real-time use cases like Caching, Session Stores, Gaming, Geospatial Services, Real-Time Analytics, and Queuing.
  • Amazon ElastiCache offers fully managed Redis, voted the most loved database by developers in the Stack Overflow 2020 Developer Survey, and Memcached for the most demanding applications that require sub-millisecond response times.

#04

Database

 
 

 

#05

Analytics and Storage 

 
 
Amazon Elastic MapReduce

Amazon Elastic MapReduce (Amazon EMR) is a web service that makes it easy to process large amounts of data efficiently. Amazon EMR uses Hadoop processing combined with several services from AWS to perform such tasks as web indexing, data mining, log file analysis, machine learning, scientific simulation, and data warehousing. An Amazon EMR release is a set of open-source applications from the big-data ecosystem. 

  • Each release comprises different big-data applications, components, and features that users select to have Amazon EMR install and configure when creating a cluster. Applications are packaged using a system based on Apache BigTop, which is an open-source project associated with the Hadoop ecosystem. 
Amazon Kinesis

Amazon Kinesis is a managed service that scales elastically for real-time processing of streaming big data. The service takes in large streams of data records that can then be consumed in real time by multiple data-processing applications that can be run on Amazon EC2 instances. 

  • Amazon Kinesis offers key capabilities to cost-effectively process streaming data at any scale, along with the flexibility to choose the tools that best suit the requirements of your application.
  • With Amazon Kinesis, users can ingest real-time data such as video, audio, application logs, website clickstreams, and IoT telemetry data for machine learning, analytics, and other applications.
  • Amazon Kinesis enables users to process and analyze data as it arrives and respond instantly instead of having to wait until all the data is collected before the processing can begin.
Amazon Elastic Block Store

Amazon Elastic Block Store (Amazon EBS) is high performance block storage service designed for use with Amazon Elastic Compute Cloud (EC2) for both throughput and transaction intensive workloads at any scale. Amazon Elastic Block Store (Amazon EBS) provides block level storage volumes for use with Amazon EC2 instances. Amazon EBS volumes persist independently from the life of the instance.

  • Amazon EBS volumes behave like raw, unformatted block devices, that can be mounted in block level storage volumes which use EC2 instances as devices on users instances.
  • Amazon EBS volumes are particularly well-suited for use as the primary storage for file systems, databases, or for any applications that require fine granular updates and access to raw, unformatted, block-level storage. 
  • Amazon EBS volumes are available in a variety of types that differ in performance characteristics and price. 
Amazon CloudFront

Amazon CloudFront speeds up distribution of static and dynamic web content to end users. CloudFront delivers content through a worldwide network of edge locations. When an end user requests content that users serving with CloudFront, the end user is routed to the edge location that provides the lowest latency, so that content is delivered with the best possible performance.  

  • CloudFront speeds up the distribution of the content by routing each user request through the AWS backbone network to the edge location that can best serve your content.
  • CloudFront is integrated with AWS – both physical locations that are directly connected to the AWS global infrastructure, as well as other AWS services.
  • CloudFront works seamlessly with services including AWS Shield for DDoS mitigation, Amazon S3, Elastic Load Balancing or Amazon EC2 as origins for your applications, and Lambda@Edge to run custom code closer to customers’ users and to customize the user experience.

CloudTrail Concepts

 

 

Creating a Trail: Creating a trail means setting the configuration options to start logging AWS API calls and related events. That is, users must turn on the AWS CloudTrail service, set up the target Amazon S3 bucket, (optionally) set up a log group for CloudWatch Logs to monitor log events, and (optionally) create an Amazon SNS topic to deliver AWS CloudTrail notifications.

CloudTrail Console: The AWS CloudTrail console is a web application that you can use to manage the AWS CloudTrail service. The console provides a user interface for performing manyAWS CloudTrail tasks such as turning on or editing AWS CloudTrail, selecting an Amazon S3 bucket, setting a prefix, including or preventing API calls from global services such as IAM and AWS STS, and receiving Amazon SNS notifications for log file deliveries.

AWS CloudTrail CLI: The AWS Command Line Interface is a unified tool that enables to act easily with CloudTrail from the command line.

AWS CloudTrail APIs: In addition to the console and the CLI, users can also use the AWS CloudTrail RESTful APIs to program AWS CloudTrail directly.

AWS SDKs: As an alternative to using the AWS CloudTrail API, users can use one of the AWS SDKs. Each SDK consists of libraries and sample code for various programming languages and platforms. The SDKs provide a convenient way to create programmatic access to AWS CloudTrail.

  • For example, the SDKs take care of cryptographically signing requests, managing errors, and retrying requests automatically.

IAM and CloudTrail: AWS Identity and Access Management is a web service that enables Amazon Web Services (AWS) customers to manage users and user permissions. Without IAM, organizations with multiple users and systems must either create multiple AWS accounts, each with its own billing and subscriptions to AWS products, or employees must all share the security credentials of a single AWS account. Also, without IAM, users have no control over the tasks a particular user or system can do and what AWS resources they might use.

  • Use IAM to create individual users for anyone who needs access to AWS CloudTrail.
  • Create an IAM user for yourself as well, give that IAM user administrative privileges, and use that IAM user for all work.
  • By creating individual IAM users for people accessing the account, users can give each IAM user a unique set of security credentials. Users can also grant different permissions to each IAM user. If necessary, they can change or revoke an IAM user’s permissions any time.

CloudWatch Logs and AWS CloudTrail: Amazon CloudWatch is a web service that collects and tracks metrics to monitor in real time the Amazon Web Services (AWS) resources and the applications that users run on Amazon Web Services (AWS). Amazon CloudWatch Logs is a feature of CloudWatch that can be used specifically to monitor log data.

  • Integration with CloudWatch Logs enables CloudTrail to send events containing API activity in the AWS account to a CloudWatch Logs log group. AWS CloudTrail events that are sent to CloudWatch Logs can trigger alarms according to the metric filters users define.
  • Users can optionally configure CloudWatch alarms to send notifications or make changes to the resources that are monitoring based on log stream events the metric filters extract.
  • Using CloudWatch Logs, users can also track CloudTrail events alongside events from the operating system, applications, or other AWS services that are sent to CloudWatch Logs.

Regional and Global Services: CloudTrail is a regional service. It creates trails in each region separately. By default, these trails include information for events that occur in those regions, plus events from global services such as IAM and AWS STS. For example, if users have two trails, each in a different region, and when creating a new IAM user, the create-user event is added to the log information in both regions. When configuring CloudTrail to aggregate trail information from multiple regions in the account into a single Amazon S3 bucket, IAM events will be duplicated in the logs.

  • The trail for each region will write the same IAM event to the aggregated log. To prevent this duplication, users can include global events selectively.
  • A typical approach is to enable global events in one trail and to disable global events in other trails that write to the same Amazon S3 bucket. 

Security 

AWS CloudTrail

The AWS shared responsibility model applies to data protection in AWS CloudTrail. AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. Users are responsible for maintaining control over the content that is hosted on this infrastructure. This content includes the security configuration and management tasks for the AWS services that customers use. For data protection purposes, AWS recommend that users protect AWS account credentials and set up individual user accounts with AWS Identity and Access Management (IAM). That way each user is given only the permissions necessary to fulfill their job duties. 

  • Use multi-factor authentication (MFA) with each account.
  • Use SSL/TLS to communicate with AWS resources. We recommend TLS 1.2 or later.
  • Set up API and user activity logging with AWS CloudTrail.
  • Use AWS encryption solutions, along with all default security controls within AWS services.
  • Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3.
  • If required FIPS 140-2 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. 

By default, the log files delivered by AWS CloudTrail to the bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, users can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for the AWS CloudTrail log files. To use SSE-KMS with CloudTrail, users create and manage a KMS key, also known as a customer master key (CMK). The decryption is seamless through S3. When authorized users of the key read AWS CloudTrail log files, S3 manages the decryption, and the authorized users are able to read log files in unencrypted form. This approach has the following advantages:

  • Users can create and manage the CMK encryption keys themselves.
  • Users can use a single CMK to encrypt and decrypt log files for multiple accounts across all regions.
  • Users have control over who can use the key for encrypting and decrypting AWS CloudTrail log files. Users can assign permissions for the key to the users in the organization according to the requirements.
  • Users have enhanced security. With this feature, in order to read log files, the following permissions are required:
    • A user must have S3 read permissions for the bucket that contains the log files.

    • A user must also have a policy or role applied that allows decrypt permissions by the CMK policy.

  • Because S3 automatically decrypts the log files for requests from users authorized to use the CMK, SSE-KMS encryption for AWS CloudTrail log files is backward-compatible with applications that read AWS CloudTrail log data.

 

AWS CloudTrail is a web service that records activity made on users account and delivers log files to the Amazon S3 bucket. It enables governance, compliance, operational auditing, and risk auditing of users AWS account. With AWS CloudTrail, users can log, continuously monitor, and retain account activity related to actions across the AWS infrastructure.

AWS CloudTrail provides event history of users AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting. In addition, customers use AWS  CloudTrail to detect unusual activity in the AWS accounts. These capabilities help simplify operational analysis and troubleshooting.

  • Users can identify which end users and accounts called AWS for services that support AWS CloudTrail, the source IP address the calls were made from, and when the calls occurred.
  • Users can integrate AWS CloudTrail into applications using the API, automate trail creation for users organization, check the status of the trails, and control how administrators turn AWS CloudTrail logging on and off.
  • Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
  • Users can use CloudTrail to view, search, download, archive, analyze, and respond to account activity across the AWS infrastructure. Users can identify who or what took which action, what resources were acted upon, when the event occurred, and other details to help analyze and respond to activity in the AWS account.