Task Statement 4.2: Validate and audit security by using network monitoring and logging services.
📘AWS Certified Advanced Networking – Specialty
1. What is Network Monitoring and Logging?
🔹 Network Monitoring
Monitoring means observing what is happening in your network in real time:
- Who is connecting?
- Is traffic normal or suspicious?
- Are systems healthy?
🔹 Logging
Logging means recording events for later analysis and auditing:
- Who accessed what?
- When did changes happen?
- What traffic flowed in the network?
👉 In AWS, monitoring + logging = visibility + security + compliance
2. Why This Matters for the Exam
You must understand:
- Which AWS service is used for what purpose
- When to use logs vs metrics vs packet capture
- How services work together
- Differences between real-time monitoring vs historical auditing
3. Core AWS Monitoring and Logging Services
3.1 Amazon CloudWatch
🔹 What it is
A monitoring and observability service.
🔹 What it does
- Collects metrics (CPU, network traffic, latency)
- Collects logs
- Triggers alerts (alarms)
🔹 Key Features
- CloudWatch Metrics → numeric data (e.g., network bytes in/out)
- CloudWatch Logs → application and system logs
- CloudWatch Alarms → alert when threshold exceeded
🔹 Network Security Use Cases
- Detect traffic spikes
- Alert on unusual network activity
- Monitor load balancers, NAT gateways, VPNs
🔹 Exam Tips
- CloudWatch = metrics + logs + alarms
- Used for real-time monitoring and alerting
- Does NOT capture packet-level data
3.2 AWS CloudTrail
🔹 What it is
A logging service for API activity and account actions.
🔹 What it records
- AWS API calls (who did what, when, from where)
- Changes to resources (e.g., route tables, security groups)
🔹 Key Features
- Tracks control plane activity
- Can send logs to:
- Amazon S3
- CloudWatch Logs
- Supports multi-region logging
🔹 Network Security Use Cases
- Audit changes to:
- VPC configurations
- Security groups
- Network ACLs
- Detect unauthorized changes
🔹 Example (IT-focused)
- If someone modifies a security group rule → CloudTrail logs it
🔹 Exam Tips
- CloudTrail = “Who did what in AWS”
- Focus on audit and compliance
- Not for traffic analysis
3.3 VPC Flow Logs
🔹 What it is
Captures IP traffic metadata flowing through a VPC.
🔹 What it records
- Source IP, destination IP
- Port numbers
- Protocol
- ACCEPT / REJECT status
🔹 What it does NOT capture
- Packet content
- Payload data
🔹 Where it works
- VPC
- Subnet
- Network Interface (ENI)
🔹 Network Security Use Cases
- Identify:
- Allowed/denied traffic
- Suspicious IP communication
- Troubleshoot connectivity issues
🔹 Example (IT-focused)
- A server cannot connect to a database → Flow Logs show REJECT traffic
🔹 Exam Tips
- Flow Logs = metadata only (not full packets)
- Good for:
- Troubleshooting
- Basic traffic monitoring
3.4 VPC Traffic Mirroring
🔹 What it is
Captures full network packets and sends them to another system.
🔹 What it does
- Mirrors traffic from ENIs
- Sends traffic to:
- Security appliances
- IDS/IPS systems
🔹 Key Features
- Works at packet level
- Supports:
- Deep packet inspection (DPI)
- Intrusion detection systems
🔹 Network Security Use Cases
- Analyze:
- Packet payloads
- Application-level traffic
- Detect advanced threats
🔹 Example (IT-focused)
- Traffic is mirrored to a network security appliance for inspection
🔹 Exam Tips
- Traffic Mirroring = full packet capture
- More detailed than Flow Logs
- Higher cost and complexity
3.5 Transit Gateway Network Manager
🔹 What it is
A centralized network monitoring and management service.
🔹 What it does
- Monitors global network infrastructure
- Provides:
- Topology view
- Route analysis
- Performance metrics
🔹 Key Features
- Works with:
- AWS Transit Gateway
- Hybrid networks (on-premises + AWS)
- Shows:
- Network connectivity
- Route changes
- Health status
🔹 Network Security Use Cases
- Detect:
- Routing issues
- Connectivity problems
- Monitor large-scale network environments
🔹 Exam Tips
- Used for centralized network visibility
- Important in multi-region and hybrid architectures
4. Comparison (Very Important for Exam)
| Service | Purpose | Data Type | Use Case |
|---|---|---|---|
| CloudWatch | Monitoring | Metrics & Logs | Alerts, performance monitoring |
| CloudTrail | Auditing | API Logs | Track user actions |
| VPC Flow Logs | Traffic metadata | IP info | Troubleshooting |
| Traffic Mirroring | Packet capture | Full packets | Deep inspection |
| Transit Gateway Network Manager | Network overview | Topology & metrics | Large-scale monitoring |
5. How They Work Together
In real AWS environments, these services are combined:
- CloudTrail → tracks configuration changes
- VPC Flow Logs → monitors traffic patterns
- Traffic Mirroring → deep packet inspection
- CloudWatch → alerts and dashboards
- Transit Gateway Network Manager → central visibility
👉 Together, they provide complete network visibility
6. Key Exam Concepts You Must Remember
🔥 1. Metadata vs Packet Data
- Flow Logs → metadata only
- Traffic Mirroring → full packets
🔥 2. Monitoring vs Auditing
- Monitoring → CloudWatch
- Auditing → CloudTrail
🔥 3. Real-time vs Historical
- CloudWatch → real-time alerts
- CloudTrail → historical logs
🔥 4. Scope of Services
- ENI level → Flow Logs, Traffic Mirroring
- Account level → CloudTrail
- Global network → Transit Gateway Network Manager
7. Common Exam Traps
❌ Thinking Flow Logs capture packet data → Wrong
❌ Using CloudTrail for traffic analysis → Wrong
❌ Using CloudWatch alone for auditing → Incomplete
❌ Ignoring Traffic Mirroring for deep inspection → Mistake
8. Simple Summary
- CloudWatch → Monitor and alert
- CloudTrail → Audit user activity
- VPC Flow Logs → See traffic metadata
- Traffic Mirroring → Capture full packets
- Transit Gateway Network Manager → View entire network
Final Exam Tip
If a question asks:
- “Who made changes?” → CloudTrail
- “Is traffic abnormal right now?” → CloudWatch
- “Why is connection failing?” → Flow Logs
- “Inspect packets deeply?” → Traffic Mirroring
- “Manage large network?” → Transit Gateway Network Manager
