AWS Certified Developer Associate Hints - Monitoring and Audit, Encryption, Cognito (Part VI)

Monitoring and Audit

AWS CloudWatch

CloudWatch Metrics

  • Collects metrics for AWS resources.
  • Standard monitoring: Every 5 minutes (default for EC2).
  • Detailed monitoring ($): Every 1 minute.
  • Free tier allows 10 detailed metrics.
  • Memory (RAM) usage is NOT pushed by default.

CloudWatch Custom Metrics

  • Push custom metrics via API (PutMetricData).
  • Uses dimensions (e.g., instance.id, environment.name).
  • Metric resolution:
    • Standard: 1 min.
    • High resolution ($): 1/5/10/30 sec.
  • Supports future timestamps.

CloudWatch Logs

  • Log Groups: Represent an application.
  • Log Streams: Instance/container log files.
  • Expiration Policy: Retention from 30 days to indefinite.
  • Subscription Filters:
    • Send logs to S3, Kinesis, Lambda, OpenSearch.
  • Unified CloudWatch Agent: Collects logs and metrics.

CloudWatch Alarms

  • Three states: OK, Insufficient Data, Alarm.
  • Can trigger:
    • EC2 actions (start/stop/reboot).
    • Auto Scaling (scale up/down).
    • Amazon SNS notifications.
  • Composite alarms: Combine multiple alarms using AND/OR.

CloudWatch Synthetic Canary

  • Scripted Node.js or Python tests that change Route 53 DNS.

AWS X-Ray

  • Tracing for microservices.
  • Segments & Subsegments:
    • Segments: Data sent by each app.
    • Subsegments: Deeper insights within segments.
  • Trace: Segments collected into an end-to-end request.
  • Sampling Rules: Limits requests sent to X-Ray to reduce costs.
  • Annotations & Metadata:
    • Annotations: Key-value pairs used for indexing.
    • Metadata: Key-value pairs not indexed.
  • Compatible with:
    • Lambda, Beanstalk, ECS, ELB, API Gateway, EC2.
  • X-Ray Instrumentation: Measures app performance, logs trace info.

AWS CloudTrail

  • API call auditing (enabled by default).
  • Get API history: Console, CLI, SDK, AWS services.
  • Can store logs in S3 (beyond 90 days).
  • Types of Events:
    • Management Events (default, read/write API calls).
    • Data Events (not enabled by default, e.g., S3 access).
  • CloudTrail Insights (paid service): Detects unusual API activities.

Encryption

AWS Encryption Methods

  • Encryption in transit: SSL/HTTPS.
  • Encryption at rest: Server-Side Encryption (SSE).
  • Client-side encryption: Data is encrypted before transfer.

AWS Key Management Service (KMS)

  • Symmetric Encryption: AES-256 (same key for encrypt/decrypt).
  • Asymmetric Encryption: RSA & ECC (key pairs).
  • Key types:
    • AWS-owned keys (default for services like S3, SQS).
    • AWS-managed keys (aws/ebs, aws/rds).
    • Customer-managed keys (CMK).
    • Imported CMKs (only symmetric keys).

KMS Key Sharing

  • Possible to share keys with another AWS account.
  • Controlled using KMS Key Policies.

KMS API Calls

  • GenerateDataKey: Creates a DEK (Data Encryption Key).
  • Encrypt: Uses DEK for encryption.
  • Decrypt: Uses encrypted DEK to decrypt data.

KMS Quotas

  • Shared quotas per region (5-10K API calls), adjustable.

KMS + Lambda Integration

  1. Use environment variables.
  2. Encrypt values using KMS.
  3. Decrypt inside Lambda function.
  4. Grant Lambda IAM permissions to KMS.

AWS CloudHSM

  • Dedicated hardware security module (HSM).
  • Supports both symmetric & asymmetric encryption.
  • Keys are isolated and cannot be extracted.
  • KMS can integrate with CloudHSM.
  • Supports MFA.

AWS Secrets Manager

  • Automatic secret rotation (up to 365 days) using Lambda.
  • Integrates with RDS, Redshift, DocumentDB.
  • ManageMasterUserPassword=true adds Secrets Manager to CloudFormation.

AWS Systems Manager (SSM) Parameter Store

  • Secure storage for configuration parameters.
  • Supports hierarchical storage.
  • String (4KB) and SecureString (KMS encrypted, 8KB for advanced tier).

CloudWatch Logs Encryption

  • KMS encryption supported.
  • Log groups can be encrypted.
  • Encryption configured via API (associate-key).

AWS Nitro Enclaves

  • Isolated execution environment (no SSH access).
  • Used for cryptographic operations.
  • Runs on Nitro Hypervisor, secure local channel.

AWS Cognito

Cognito User Pools

  • User authentication for apps.
  • Integration with API Gateway & ALB.
  • Sign in with email, phone, or social providers (Google, Facebook).
  • Supports MFA, federated identity providers (SAML, OpenID Connect).
  • Adaptive authentication: Detects unusual logins, applies MFA if needed.
  • Lambda Triggers: Custom login/signup/token handling.

Cognito Identity Pools (Federated Identity)

  • Provides AWS credentials to users.
  • Supports Google, Facebook, Cognito User Pools, SAML, custom logins.
  • Allows guest access (unauthenticated users).

Conclusion

This post covers AWS CloudWatch, CloudTrail, KMS, and Cognito, essential AWS services for monitoring, auditing, encryption, and authentication. Understanding these topics is key to AWS Certified Developer Associate exam success.