Best Monitoring and Security Tools for AWS Infrastructure
Question
You have recently migrated your on-premises Datacenter to AWS.
You have deployed applications in the EC2 instance launched within a VPC & are using S3 buckets for storing all data.
At your on-premises location, you had built a customized tool that would log all activities made by users on servers, a notification service that will notify the Security Team of any changes made to server configuration and a tool to check unsecured ports on applications having risks of accessing from an external network.
Security Chief is looking for similar tools that can meet these requirements in AWS infrastructure.
Which of the following tools can be used to meet this requirement? (Select Three)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E. F.Correct Answer - B, C, E.
AWS Config can be used to track configuration changes done to AWS resources.
AWS CloudTrail can be used to record API calls made to AWS resources.
Amazon Inspector can be used for assessing vulnerability for any ports & services on applications installed on EC2 instance which can be assessed from external networks.
Option A is incorrect as AWS Config can be used to track configurational changes done to AWS resources & does not record API calls to AWS resources.
Option D is incorrect as AWS CloudTrail can be used to record API calls made to AWS resources & does not track configuration changes to AWS resources.
Option F is incorrect as Amazon GuardDuty does not perform a security assessment of applications deployed on EC2 instance.
It is a threat detection service that monitors anomalous behavior in the AWS network using AWS CloudTrail, Amazon VPC Flow Logs, and DNS Logs.
For more information on using tools for Security, refer to the following URL-
https://aws.amazon.com/cloudtrail/faqs/ https://aws.amazon.com/config/faq/ https://aws.amazon.com/inspector/faqs/Sure, I can explain each of the options and their relevance to the given scenario.
A. Use AWS Config to record API calls to AWS resources.
AWS Config is a service that allows you to track changes to AWS resources over time, including the metadata of resources and relationships between resources. It also provides a history of resource configuration changes and alerts when resources are not compliant with desired configurations. However, it does not log user activity. So, option A is not a suitable solution for the given scenario.
B. Use AWS Config to track changes in resources with respect to configuration rules.
As mentioned above, AWS Config allows you to track changes to AWS resources and provides a history of resource configuration changes. It can also check whether resources are compliant with desired configuration rules. While this option can be useful for tracking changes in resource configuration, it does not log user activity or provide notification of changes. Therefore, it is not a complete solution for the given scenario.
C. Use AWS CloudTrail to record API calls to AWS resources.
AWS CloudTrail is a service that provides a history of AWS API calls for your account, including those made through the AWS Management Console, SDKs, command line tools, and other AWS services. It can also be used to track user activity in AWS services and resources, including EC2 instances and S3 buckets. This makes it a suitable tool for monitoring user activity and detecting unauthorized changes. So, option C is a relevant choice for the given scenario.
D. Use AWS CloudTrail to track changes in resources with respect to configuration rules.
CloudTrail does not track changes in resource configuration rules. It only logs API calls made to AWS resources. So, option D is not a suitable solution for the given scenario.
E. Use Amazon Inspector for security assessment for applications deployed on EC2 instance.
Amazon Inspector is a security assessment service that helps improve the security and compliance of applications deployed on EC2 instances. It analyzes the network activity and host configuration of your applications, and provides a detailed list of security findings, prioritized by severity. While this option can be useful for security assessment, it does not provide user activity logging or change notification. Therefore, it is not a complete solution for the given scenario.
F. Use Amazon GuardDuty for security assessment for applications deployed on EC2 instance.
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior in AWS accounts and workloads. It analyzes data from various sources such as VPC Flow Logs, DNS logs, and CloudTrail, and uses machine learning to identify potential security threats. GuardDuty provides detailed findings and recommended actions to address security issues. While this option can be useful for security assessment, it does not provide user activity logging or change notification. Therefore, it is not a complete solution for the given scenario.
In conclusion, options C, A and B are not complete solutions for the given scenario, while options E and F are useful for security assessment but do not provide user activity logging or change notification. The best options to meet the Security Chief's requirements are C, which is AWS CloudTrail for logging user activity, and two other options that are not mentioned in the question but could meet the other requirements: AWS Config rules for tracking configuration changes and AWS Systems Manager for change notifications.
