CloudTrail provides free storage of audit logs for 90 days. If you want to keep data for longer than 90 days, you have to set up a trail to be stored in an S3 bucket somewhere or ingested into some other platform.

AWS provides IP address assignments based on your choice of public or private. Depending on your configuration (or template selected), AWS will find the resources in their data center and launch that instance for you.

Athena is an AWS service that allows you to search data that are resident within your S3 buckets as if they were in an SQL database. Athena allows you to search terabytes of data stored in your S3 buckets without having to first process and load it all into something like ELK. In addition, you can schedule Athena queries to run at regular intervals to perform regular threat hunts as new logs are written into your CloudTrail buckets.

The actions of the root user on an EC2 instance will be logged in CloudTrail by default. They will not appear in CloudWatch unless CloudWatch is configured to accept them. VPC Flow Logs do not include changes made on an EC2 instance. Linux logs record only changes made by accounts within the instance, not by the accounts of AWS users, including root.

By default, all Amazon S3 buckets and objects are private. Only the resource owner, which is the AWS account that created the bucket, can access that bucket

Instances prefixed with P, G, or F indicate that a GPU or FPGA is attached to them. This is the instance type most often abused by crypto miners.

Amazon Elastic File System (EFS) is basically a network-hosted NFS share, while Elastic Block Store (EBS) is a dedicated block storage device. This means that multiple instances can all access an EFS share simultaneously, while only one instance at a time can access an EBS volume. Many developers will create an AWS-hosted NFS share (EFS) and then attach it to multiple running EC2 instances. This way, for auto-scaling clusters and containers, they can have persistent data storage. This allows multiple Linux instances and containers to read and write data to a central place, and then AWS will manage auto-scaling of EFS storage. Since EFS shares are regional, the data access speeds should be fast.