CloudTrail
You can use
- CloudTrail to stream log into CloudWatch Logs
- Then in the CloudWatch, you can setup Metric Filters based on certain condition, (e.g count occurrenencs)
- Set up a CloudWatch Alaram based on Metric filter, trigger alarm once over the limit
- Can notifiy by SNS
You can set up Organization Trail to collect all the CloudTrail events from Children account.
- Organization Trail has to be setup in Mangement account
How to react faster?
Overall, CloudTrail may takeup 15 mins to deliver events
To Speed up:
- CloudWatch Events: Which can be triggered by any API call in CloudTrail, the fastest, most reactive way
- CloudTrail Delivery in CloudWatch Logs: Events are streamed, can perform a metric filter to analyze occurrences and detect anomalies
- CloudTrail Delivery in S3: Events are delivered every 5 mins, possibility of analyzing logs integrity, deliver cross account, long-term storage
S3 Access Points
Previously, you can restrict S3 access by using
- IAM role
- S3 bucket policy
The problem for both is the complexity of the policy / role rules can grow fast and complex.
Access points breaks the complex by two parts:
- Access points only do the mappings, which access points access which buckets
- One policy per access point
- For each VPC, using VPC Gateway Endpoint to access S3
- Define Endpoint Policy rules inside Each VPC
- Access point for Bucket only allow access From VPC
SSL
Normally handle SSL on ALB
It is also possible to handle SSL on EC2 server.
EC2 can retrieve SSL private key at EC2 boot time.
EC2 need to performing SSL encryption / decryption
But it requries CPU, might slow down the applications
One way to improve it is by using CloudHSM SSL Offloading