CloudWatch

• To get Memory and disk related metric install cloudwatch agent.

  • Ex: SwapUtilization

• You can configure an Amazon CloudWatch alarm that triggers the recovery of the EC2 instance if it becomes impaired (Instance check fails only not system check fails)

CloudTrail

• By default, only Management events are logged and not data events

• Additional charges apply for data or Insights events

• Protecting CloudTrail Logs:

  • Log to a dedicated and centralized Amazon S3 bucket

  • Enable CloudTrail log file integrity

  • Encrypting CloudTrail log files with AWS KMS–managed keys (SSE-KMS)

  • Amazon S3 bucket policy for CloudTrail

  • Sharing CloudTrail log files between AWS accounts

  • By default, the log files delivered by CloudTrail to your bucket are encrypted by SSE-S3

  • To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for your CloudTrail log files

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html

• To share CloudTrail log files between multiple AWS accounts

1. Create an IAM role for each account that you want to share log files with.

2. For each of these IAM roles, create an access policy that grants read-only access to the account you want to share the log files with.

3. Have an IAM user in each account programmatically assume the appropriate role and retrieve the log files.

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-sharing-logs.html