AWS CloudTrail Flashcards

Question 1

Q

What is AWS CloudTrail?

Answer

A

AWS CloudTrail is a service that enables governance, compliance, operational auditing and risk auditing of your AWS account by logging continuously monitoring and retaining account activity related to actions across AWS infrastructure.

Question 2

Q

What types of events does CloudTrail capture?

Answer

A

CloudTrail captures management events (operations on resources) and data events (resource operations like S3 object-level API calls or Lambda function invocations).

Question 3

Q

What is the default behavior of CloudTrail when first enabled?

Answer

A

By default CloudTrail records management events for the last 90 days in the AWS Management Console but to store logs long-term you must create a trail to an S3 bucket.

Question 4

Q

What is a trail in AWS CloudTrail?

Answer

A

A trail is a configuration that enables delivery of CloudTrail events to an Amazon S3 bucket and optionally to CloudWatch Logs or EventBridge.

Question 5

Q

Can a single trail log events from multiple AWS regions?

Answer

A

Yes. Trails can be multi-region capturing events from all regions or single-region.

Question 6

Q

What are the main destinations for CloudTrail logs?

Answer

A

Amazon S3 (for storage) Amazon CloudWatch Logs (for real-time monitoring) and Amazon EventBridge (for event-driven responses).

Question 7

Q

What is the difference between management events and data events?

Answer

A

Management events are operations like creating or deleting an EC2 instance IAM changes etc. Data events are operations on specific resources such as S3 object-level API calls or Lambda function execution logs.

Question 8

Q

Are data events logged by default?

Answer

A

No, data events must be explicitly enabled on a trail.

Question 9

Q

What is an example of a read-only and write management event?

Answer

A

Read-only: DescribeInstances ListBuckets. Write: CreateBucket TerminateInstances.

Question 10

Q

How can CloudTrail logs be analyzed in near real-time?

Answer

A

By integrating CloudTrail with Amazon CloudWatch Logs to create metrics alarms or EventBridge for automated responses.

Question 11

Q

How does CloudTrail integrate with AWS Organizations?

Answer

A

You can create an organization trail to log events for all accounts in the organization automatically.

Question 12

Q

Can CloudTrail be used for compliance audits?

Answer

A

Yes, it provides immutable time-stamped logs of all AWS API calls which are crucial for compliance audits (e.g. PCI DSS; HIPAA; SOC 2). Integration

Question 13

Q

How can CloudTrail logs be secured?

Answer

A

Enable S3 bucket encryption (SSE-S3 or SSE-KMS) enable log file validation to detect tampering use IAM policies to restrict access enable multi-region trails to prevent gaps in logging.

Question 14

Q

What is CloudTrail log file validation?

Answer

A

It creates a hash chain for log files that allows verification that logs have not been altered or deleted.

Question 15

Q

How long can CloudTrail store logs?

Answer

A

Logs are retained in S3 indefinitely or as per your lifecycle policy.

Question 16

Q

You need to monitor S3 object-level API activity across multiple accounts in your AWS Organization. Which CloudTrail feature should you use?

Answer

Study These Flashcards

A

Create an organization trail and enable data events for the S3 buckets.

Question 17

Q

A CloudTrail trail is sending logs to an S3 bucket. You want to trigger an alert if someone deletes a bucket. How would you do this?

Answer

Study These Flashcards

A

Integrate CloudTrail with EventBridge or CloudWatch Logs to trigger alarms for DeleteBucket API events.

Question 18

Q

How do you ensure that CloudTrail continues logging even if an attacker deletes your trail?

Answer

Study These Flashcards

A

Enable multi-region trails and use AWS Organizations to centrally manage trails; enable log file validation and apply S3 bucket policies to prevent deletion.