Securing log files

Log files are a potential security vulnerability that should be mitigated as thoroughly as possible. The following are AWS best practices for securing log files:

Use CloudTrail to activate logging, auditing, and alerting

CloudTrail must be activated in all AWS accounts for all AWS products. This helps with security auditing in case of a security incident. Development stage accounts must also have CloudTrail activated as development environments are frequently attacked on the assumption that their security controls are weaker than those of production environment.

Refer to the AWS CloudTrail User Guide for instructions on activating it.

Often when a compromise happens, actors try to enumerate permissions on a compromised IAM user or role, which will generate authorization failures. We recommend Monitoring CloudTrail Log Files with Amazon CloudWatch Logs.

If your case requires strong integrity guarantees, consider activating CloudTrail Log File Validation feature.

All AWS accounts must have CloudTrail activated and alerting setup.

• Verify that CloudTrail is activated in all Regions

• Verify that S3 bucket where CloudTrail logs are stored is locked down

  • Use scoped down bucket policy that gives service operators permissions to read but not write to the bucket (log records must be written only once and stay immutable)

• Verify that alerts function properly

  • Perform an action that will generate an UnauthorizedOperation or AccessDenied error in CloudTrail logs

  • Confirm that the alert has been invoked and received

• Verify that CloudTrail Log File Integrity is activated

• Verify that at least one trail of CloudTrail in each account captures events from global services, such as IAM and AWS Security Token Service (STS). You can activate global service events logging for a trail from AWS CLI by running the following command:

  update-trail —name <trail_name> —include-global-service-events