Concepts

VPC Flow Logs record information about the IP traffic going to and from network interfaces in your VPC. To collect VPC Flow Logs, you need to create a flow log for a VPC, subnet, or network interface.

To enable VPC Flow Logs, use the following steps:

  1. Navigate to the VPC console.
  2. Select the VPC, subnet, or network interface.
  3. Choose “Create flow log” and specify the necessary details, such as the destination log group in CloudWatch Logs or an S3 bucket.

Once enabled, the flow logs capture information such as the source and destination IP addresses, port numbers, protocol, and whether the traffic was accepted or rejected. These logs are useful for network troubleshooting and security analysis.

ELB Access Logs

ELB Access Logs contain detailed information about requests sent to the load balancer. Enabling them helps you understand the nature of the traffic and troubleshoot application issues.

To enable ELB Access Logs:

  1. Open the Amazon EC2 console.
  2. Navigate to the Load Balancers section.
  3. Select the ELB and go to the “Attributes” tab.
  4. Find “Access logs” and click on “Edit.” Enable the logs and set the S3 destination for the logs.

The logs contain data such as client IP addresses, request paths, server responses, and request processing times.

AWS WAF Web ACL Logs

AWS WAF Web ACL Logs capture the details of incoming web requests that AWS WAF processes. They’re useful for identifying and understanding web attack patterns.

To enable AWS WAF logs:

  1. Go to the AWS WAF & Shield console.
  2. Select the corresponding Web ACL.
  3. Enable logging under the “AWS WAF logs” option. Specify the Amazon Kinesis Data Firehose, which will deliver the logs to an S3 bucket or CloudWatch Logs.

These logs consist of HTTP(S) request details, such as the IP address, URI, headers, and the rule that the request matched.

CloudFront Logs

CloudFront provides two types of logs: access logs (standard logs) and real-time logs. Access logs are useful for in-depth analysis, whereas real-time logs are beneficial for immediate access to data.

To enable standard access logs:

  1. Navigate to the CloudFront console.
  2. Choose the distribution and go to the “Distribution Settings.”
  3. Select the “Logs” tab and update the settings, specifying an S3 bucket for the logs.

CloudFront logs include the requester’s IP address, request URLs, HTTP status codes, and edge location details.

Interpreting Logs

Once you have collected these logs, you need to interpret them to gain insights. AWS provides several tools for this purpose:

  • Amazon CloudWatch Logs Insights: For querying and visualizing log data.
  • Amazon Athena: For running SQL queries on logs stored in S3.
  • Third-party tools: Like Splunk or Sumo Logic, integrated with AWS for log analysis.

For example, with Amazon Athena you could run a query on your VPC Flow Logs to find the volume of rejected traffic over the last 24 hours:

SELECT
interface_id,
srcaddr,
dstaddr,
count(*) as request_count
FROM
“your_flow_logs_database”.”your_flow_logs_table”
WHERE
action=’REJECT’ AND
parse_datetime(timestamp, ‘yyyy-MM-dd”T”HH:mm:ss.SSS’) > date_add(‘day’, -1, now())
GROUP BY
interface_id, srcaddr, dstaddr
ORDER BY
request_count DESC;

Parsing and interpreting logs effectively enable SysOps Administrators to maintain the performance, security, and reliability of AWS environments. There are also AWS certification-specific questions that will test your knowledge on how to enable and interpret the different types of logs provided by AWS. Understanding the format and the kind of data each type of log contains is critical for the AWS Certified SysOps Administrator – Associate exam.

Answer the Questions in Comment Section

True or False: Amazon CloudFront logs can only be delivered to an Amazon S3 bucket in the same AWS region as the CloudFront distribution.

  • A) True
  • B) False

Answer: B) False

Explanation: Amazon CloudFront logs can be delivered to an Amazon S3 bucket in any AWS region, not just the region where the CloudFront distribution is located.

Which AWS service is primarily used to collect and analyze VPC Flow Logs?

  • A) Amazon CloudWatch
  • B) AWS Config
  • C) Amazon Inspector
  • D) AWS CloudTrail

Answer: A) Amazon CloudWatch

Explanation: VPC Flow Logs can be published to Amazon CloudWatch Logs and Amazon S3 for storage and analysis.

True or False: AWS WAF web ACL logs can be stored in Amazon S3 buckets for long-term retention.

  • A) True
  • B) False

Answer: A) True

Explanation: AWS WAF logs can be sent to Amazon Kinesis Data Firehose and then to Amazon S3 for long-term retention.

When enabling logging for an Elastic Load Balancer, you must specify which of the following?

  • A) An existing EC2 instance
  • B) An Amazon S3 bucket
  • C) An Amazon RDS database
  • D) An AWS CloudTrail trail

Answer: B) An Amazon S3 bucket

Explanation: ELB access logs are stored in the Amazon S3 bucket that you specify.

True or False: To enable VPC Flow Logs, the VPC must have at least one running instance.

  • A) True
  • B) False

Answer: B) False

Explanation: VPC Flow Logs can be enabled for a VPC regardless of whether there are running instances or not.

Which AWS service provides log data specific to incoming and outgoing network traffic within your AWS infrastructure?

  • A) AWS CloudTrail
  • B) VPC Flow Logs
  • C) AWS Config
  • D) AWS X-Ray

Answer: B) VPC Flow Logs

Explanation: VPC Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC.

True or False: You can use AWS Athena to query ELB access logs stored in Amazon S

  • A) True
  • B) False

Answer: A) True

Explanation: AWS Athena allows you to run SQL queries on ELB access logs and other logs stored in Amazon S

AWS WAF web ACL logs include which of the following information? (Select TWO)

  • A) Request method (GET, POST, etc.)
  • B) User’s secret access key
  • C) HTTP response code
  • D) Network interface ID
  • E) Rule ID within the web ACL that matched the request

Answer: A) Request method (GET, POST, etc.), C) HTTP response code

Explanation: AWS WAF logs contain details about the web request such as the request method, HTTP response code, and the rule ID that matched the request. It does not include sensitive user credentials or network interface IDs.

Which of the following is NOT a valid destination for VPC Flow Logs?

  • A) AWS CloudWatch Logs
  • B) Amazon S3
  • C) Amazon QuickSight
  • D) Amazon Kinesis Data Firehose

Answer: C) Amazon QuickSight

Explanation: VPC Flow Logs can be published directly to AWS CloudWatch Logs, Amazon S3, and Amazon Kinesis Data Firehose, but not directly to Amazon QuickSight.

True or False: CloudFront access logs can include data about viewers’ requests such as the IP address, user-agent, and query string.

  • A) True
  • B) False

Answer: A) True

Explanation: CloudFront access logs capture detailed information about every user request that CloudFront receives, including the viewer’s IP address, user-agent, and query string.

0 0 votes
Article Rating
Subscribe
Notify of
guest
29 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Annabelle Morris
8 months ago

Thanks for the informative blog post!

Eva Wilson
6 months ago

Highly appreciate the detailed insights on VPC Flow Logs.

Loane Renard
8 months ago

While VPC Flow Logs are great, how do you recommend filtering out noise for efficient log analysis?

Hetal Moolya
7 months ago

Great breakdown of ELB access logs. These logs are a lifesaver for debugging issues!

Monika Klein
8 months ago

Is there any way to simplify the analysis of CloudFront logs? The raw logs can get pretty overwhelming.

Zora Perišić
5 months ago

Nice explanation! AWS WAF web ACL logs have been a game changer for us.

Lorena Gutiérrez
8 months ago

For AWS WAF logs, how often should we rotate the logs to avoid storage issues?

Jose Carr
7 months ago

This post is super helpful for the AWS Certified SysOps Administrator – Associate exam preparation.

29
0
Would love your thoughts, please comment.x
()
x