Migrating Legacy Applications to AWS Using CloudFormation
Question
The company that you are working for has strong security policies.
And for AWS services, they want to track all API calls if possible.
One team has just started using CloudFormation to migrate their legacy application to AWS.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - A.
For API tracking in AWS, the first service to think about should be CloudTrail.
Option D is eliminated.
And CloudTrail supports CloudFormation and all API calls are recorded as event.
For Option B, it is partially correct as “Only the input parameter key names are logged; no parameter values are logged.” About how to use CloudTrail to track CloudFormation API calls, refer to.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-api-logging-cloudtrail.html.The below event is one for stack creation.
It only has the parameter name:
"stackName": "my-test-stack",
"disableRollback": true,
"parameters": [
{
"parameterKey": "password"
},
{
"parameterKey": "securitygroup"
}
]
Option B is incorrect: CloudTrail events do not record the parameter values for CloudFormation.
Option C is incorrect: because CloudTrail supports CloudFormation and is able to record its API calls.
Option D is incorrect: To trace API calls, the main service should be CloudTrail.
The correct answer is B. Create a new CloudTrail trail and configure an S3 bucket. Include the CloudFormation service for the new trail. All relevant CloudFormation API call information is recorded such as Parameter names, Parameter values, IAM roles, and Tags used during stack creation.
Explanation:
CloudTrail is a service provided by AWS that allows you to track and log all the API calls made to your AWS account. It provides you with a record of all the actions taken on your AWS resources by any user, application, or service. It helps you to track changes to your resources, troubleshoot issues, and meet compliance requirements.
To enable tracking of CloudFormation API calls, you can create a new CloudTrail trail and configure an S3 bucket to store the logs. By default, the CloudFormation service is included in CloudTrail, and all the relevant CloudFormation API call information will be recorded as CloudTrail events. These events contain a lot of useful information that the security team cares about, such as who made the API call, when it was made, and what parameters were used.
Option A is close to the correct answer but not complete. It suggests creating a new CloudTrail and configuring an S3 bucket, which is correct. However, it states that CloudFormation API calls will be recorded as CloudTrail events by default, which is incorrect. CloudFormation is included in CloudTrail by default, but you still need to configure the trail to include CloudFormation API calls.
Option C is incorrect. CloudTrail does support CloudFormation specific API calls, including stack creation and update events. The trail captures API events for resources that CloudFormation has created, as well as for the CloudFormation service itself.
Option D is also incorrect. While AWS Config can monitor CloudFormation activities, it is not the best option for tracking API calls. AWS Config provides a snapshot of the state of your AWS resources at a given point in time, whereas CloudTrail provides a record of all the API calls made to your account over time.
