AWS Certified SysOps Administrator - Associate Exam: Monitoring EC2 Instances for Critical Changes

Monitoring EC2 Instances for Critical Changes

Question

You are working as a SysOps admin for a large pharma company.

They are using infrastructure with a large number of EC2 instances.

You are concerned about some critical EC2 servers for which any unplanned changes will be catastrophic.

You want to be notified by an operations team whenever there is a change to these instances.

Notification emails should consist of user details performing those changes & changes made.

Which of the following services will you use for this purpose?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: C.

AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance.

AWS CloudTrail records user API activity on your account and allows you to access information about this activity.

You get full details about API actions, such as the caller's identity, the time of the API call, the request parameters, and the response elements returned by the AWS service.

Option A is incorrect - Trusted Advisor is an online tool to reduce cost, increase performance, and improve security by optimizing your AWS environment.

Using AWS Config, you can determine changes made to EC2, but AWS Trust Advisor will not gather user details performing changes.

AWS CloudTrail will gather these details.

Option B is incorrect - Using Amazon CloudWatch, you gain system-wide visibility into resource utilization, application performance, and operational health.

To determine configuration changes, you need to use AWS Config instead of AWS CloudWatch.

Option D is incorrect - Using Amazon CloudWatch, you gain system-wide visibility into resource utilization, application performance, and operational health.

AWS CloudWatch can not gather user details performing changes, but AWS CloudTrail can gather these details.

For more information on using both AWS Config & CloudTrail, check the following link-

https://aws.amazon.com/config/faq/

The best service for the given scenario would be AWS CloudTrail and AWS Config.

AWS CloudTrail is a service that records all the API calls made to AWS services in your account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions taken on your AWS infrastructure. It provides visibility into user activity by tracking changes to resources and giving an audit trail of API calls.

AWS Config, on the other hand, is a service that provides a detailed inventory of your AWS resources, configurations, and their relationships. It continuously monitors and records configuration changes that occur to your AWS resources. Config rules can be set up to check whether changes meet specific criteria and notify you when they do not.

Together, CloudTrail and Config provide a comprehensive solution for monitoring and alerting for changes to your infrastructure.

In this scenario, you can set up AWS CloudTrail to record all API calls made to the critical EC2 instances. You can then use AWS Config to monitor these instances and notify you whenever there is a change to their configuration. You can also set up Config rules to validate the changes and ensure they meet specific criteria. When there is an unexpected change, you will receive an alert email with the details of the user who made the change and the changes that were made.

Option A, AWS Config, and Trusted Advisor, can provide recommendations on how to optimize your AWS resources, but they do not provide the desired functionality of monitoring and alerting for configuration changes.

Option B, AWS CloudWatch, and CloudTrail, can provide monitoring and logging services, but CloudWatch is not designed to provide a detailed inventory of your resources and their relationships like AWS Config does.

Option D, AWS CloudWatch, and Config can provide monitoring and alerting for configuration changes, but CloudWatch does not provide an audit trail of API calls like CloudTrail.