AWS-04 Cloud Security, Monitoring & Cost Optimization

AWS-04 Cloud Security, Monitoring & Cost Optimization

Shared Responsibility Model

  • Divides responsibility between AWS and the customer
  • AWS → protects the infrastructure
  • Customers → protect their applications, data, and workloads
  • Teamwork builds a secure cloud environment

Role of AWS – Security of the Cloud

  • Securing global infrastructure (hardware, software, networking)
  • Physical security of data centers
  • Services: firewalls, DDoS protection, encryption, monitoring
  • Compliance via regular audits

Role of Customer – Security in the Cloud

  • Configure services properly
  • Use strong passwords and enable MFA
  • Set IAM policies with least privilege
  • Define firewall and VPN rules
  • Train employees on safe practices

Amazon CloudWatch

  • A tool from AWS to monitor resources and applications
  • Helps to:
    • Watch performance
    • Track errors and logs
    • Set alerts for important events
  • Shows how healthy your AWS resources are

Why Use CloudWatch

  • Check if your apps are running well
  • Monitor CPU, memory, storage usage
  • Get alerts automatically if something goes wrong
  • Helps fix problems early

CloudWatch Feature – Metrics

  • Metrics = numbers showing resource usage over time
  • Example: CPU usage, disk space, network traffic
  • Each number has a timestamp
  • Can combine metrics to create new insights

CloudWatch Feature – Alarms

  • Alarms = automatic warnings
  • Watch a metric and take action if it crosses a limit
  • Example: CPU > 80% → Send alert
  • Can also track AWS bills

CloudWatch Feature – Logs

  • Logs = records of activities in AWS resources
  • Example: EC2 servers, Route 53 DNS queries
  • Helps to find and fix errors
  • Stored safely so you can check anytime

IAM Users

  • Created for individuals
  • Permissions given using policies
  • Example: Read-only EC2 access.

IAM Groups

  • A set of IAM users.
  • Easier management of permissions.
  • Example: Auto scaling Admins group for scaling tasks.

IAM Roles

  • Roles provide temporary access to AWS services.
  • Used when one service needs to access another.
  • Example: EKS cluster using a role to manage EC2 instances.

IAM Policies

  • Policies define what actions are allowed or denied.
  • Written in JSON format with:
    • Effect → Allow / Deny
    • Action → AWS operation (e.g., s3:GetObject)
    • Resource → Where it applies (e.g., S3 bucket)
  • Multiple policies can be attached to users, groups, or roles.

AWS CloudTrail

  • CloudTrail is a service that records all actions in your AWS account.
  • It shows who did what, when, and from where.
  • Helps in security, compliance, and troubleshooting.

Working

  • Every user or service request is logged.
  • Records include: identity, action, time, and IP address.
  • Logs can be stored in S3 or monitored with CloudWatch
  • Example: Detecting who deleted an EC2 instance.

Benefits

  • Monitor user activity to detect suspicious behavior.
  • Audit compliance for organizations.
  • Investigate problems using activity history.
  • Long-term log storage for future security analysis

Questions

  1. Explain AWS Security Model.
  2. Describe AWS IAM – Users, Groups, Policies, Roles.
  3. What is AWS CloudWatch? Explain Metrics, Logs, Alerts.
  4. What is AWS CloudTrail? Explain Monitor User Activity.
  5. Explain AWS Budgets & Cost Explorer – Manage and Track Billing.

Made By SOU Student for SOU Students