You are responsible for the security profile of a number of mission critical applications at a large global telecommunications company. Your team lead asks you to propose a solution to trace all changes made to the AWS infrastructure. You must also prevent any evidence from tampering or deletion by malicious actors attempting to conceal unauthorized activities. Which of the following approaches do you propose?
a. Use CloudWatch Logs to log any changes made to your AWS infrastructure. Send logs to a dedicated S3 bucket. Grant read only access to the Security Team members who need to review the logs.
b. Only allow the Security Team permission to make changes in CloudTrail.
c. Enable CloudTrail in all AWS regions and send logs to a dedicated S3 bucket. Grant read only access to the Security Team members who need to review the logs.SELECTED
d. Use AWS Config to notify you of any changes made to your AWS infrastructure. Send logs to a dedicated S3 bucket. Grant read only access to the Security Team members who need to review the logs.SELECTED
e. Verify the MD5 checksum value of the log files to check if they have been tampered with
Don’t you guys think that c & d have equal benefits unless you are concerned about the actor making the changes. The question doesn’t talk about the actor and is concentrated on tracing all changes made to AWS infrastructure.
1 Answers
Hi, the key words in this question are that you need to: trace all changes made as well as: prevent anyone attempting to conceal unauthorized activities
We use CloudTrail to trace all changes, not just to the infrastructure but any activities or API calls in your account, even the unsuccessful ones.
Config allows you to automate the evaluation of recorded configurations against desired configuration – but you need to have desired configurations to allow you to do this. It doesn’t give you a trail of who did what and when though – for that you’ll need CloudTrail.
If you selected C & D then that doesn’t prevent tampering or deletion of the evidence. So answer B must be part of the answer.
There’s a pretty good explanation here too:
https://aws.amazon.com/config/
With AWS Config, you can capture a comprehensive history of your AWS resource configuration changes to simplify troubleshooting of your operational issues. Config helps you identify the root cause of operational issues through its integration with AWS CloudTrail, a service that records events related to API calls for your account. Config leverages CloudTrail records to correlate configuration changes to particular events in your account. You can obtain the details of the event API call that invoked the change (e.g., who made the request, at what time, and from which IP address) from the CloudTrail logs.