1.

Monitoring/Metrics/Logging
1.1. Cloud Watch
Amazon CloudWatch is a monitoring service for AWS cloud resources and the applications you
run on AWS. You can use Amazon CloudWatch to
 collect and track metrics,
 collect and monitor log files,
 set alarms, and automatically react to changes in your AWS resources.
Amazon CloudWatch can monitor AWS resources such as Amazon EC2 instances, Amazon
DynamoDB tables, and Amazon RDS DB instances, as well as custom metrics generated by your
applications and services, and any log files your applications generate. You can use Amazon
CloudWatch to gain system-wide visibility into resource utilization, application performance, and
operational health. You can use these insights to react and keep your application running
smoothly.
Namespaces are container for metrics.

1.2. Cloud Watch Custom Mertrics

1.3. Cloud Watch Alarm
Initiate actions on your behalf.
Based on parameter you specify.
Against metrics you have in use.

Alarms actions are sent to

SNS- for notification
An Autoscaling group - for action
 Alarms State
OK --> Metrics Matches Threashold
ALARM --> Metrics is outide the Threashold you defined
INSUFFICIENT_DATA --> Not enough data to determine the alarm state

1.4. Cloud Watch Logs

Main Purpose
1.5. Cloud Trail
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk
auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain
account activity related to actions across your AWS infrastructure. CloudTrail provides event
history of your AWS account activity, including actions taken through the AWS Management
Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies
security analysis, resource change tracking, and troubleshooting.

Q: What is applying a trail to all regions?

Applying a trail to all regions refers to creating a trail that will record AWS account activity in all
regions. This setting also applies to any new regions that are added. For more details on regions and
partitions, refer to the Amazon Resource Names and AWS Service Namespaces page.

Q: What are the benefits of applying a trail to all regions?

You can create and manage a trail across all regions in the partition in one API call or few clicks. You
will receive a record of account activity made in your AWS account across all regions to one S3
bucket or CloudWatch logs log group. When AWS launches a new region, you will receive the log
files containing event history for the new region without taking any action.
2. Security Governance Validation

2.1. Delegation & Federation

Delegation: You can allow users in other AWS accounts, access to resources in your directly.

Federation : Federation allows users from external IDP's access to your account. Two Types of
federation
 Corporate/Enterprise Identity Federation
o Source Include: Active Directory, LDAP
o You can use, Custom Federation proxy, SAML or AWS Directory Service.
 Web/Social Identity Federation
2.2. Corporate Identity Federation
Get FederationToken doesn't support MFA
2.3. Web Identity Federation