This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.
Logging
The Logging component serves several functions in an architecture that aims to detect and respond to active data integrity events. Logs are produced through integrity monitoring and event detection, which aid other components in responding to active events. Both mitigation and containment and forensics and analytics use logs to inform their actions. Logs help decide what steps should be taken to respond and recover from a security event.
Table 9 — Logging capability and the associated AWS services
| Capability and CSF mapping | AWS service | AWS service description | Function |
AWS GovCloud (US) |
|---|---|---|---|---|
|
Logging PR.PT-1, DE.AE-4, DE.CM1, DE.CM-3 |
Amazon Athena |
Amazon Athena is an interactive query service that makes it easy to analyze data directly in S3 using standard SQL.
With a few clicks in the
AWS Management Console Athena is serverless, so there is no infrastructure to set up or manage, and customers pay only for the queries they run. |
Provides ability to perform interactive queries of logs stored in S3 using standard SQL with no infrastructure to manage. | Yes |
|
Amazon CloudWatch |
Amazon CloudWatch is a monitoring and observability service built for DevOps engineers, developers, site reliability engineers (SREs), and IT managers. CloudWatch provides you with data and actionable insights to monitor your applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health. CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, providing you with a unified view of AWS resources, applications, and services that run on AWS and on-premises servers. You can use CloudWatch to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly. |
These controls monitor, detect, visualize, and receive notifications of attacks, and respond to changes in your AWS resources. | Yes | |
| Amazon CloudWatch Logs |
CloudWatch Logs enables you to centralize the logs from all of your systems, applications, and AWS services that you use, in a single, highly scalable service. You can then easily view them, search them for specific error codes or patterns, filter them based on specific fields, or archive them securely for future analysis. CloudWatch Logs enables you to see all of your logs, regardless of their source, as a single and consistent flow of events ordered by time. You can query them and sort them based on other dimensions, group them by specific fields, create custom computations with a powerful query language, and visualize log data in dashboards. |
Provides logging capabilities configurable to customer policy. | Yes | |
| Amazon CloudWatch Logs Insights |
Amazon CloudWatch Logs Insights enables you to drive actionable intelligence from your logs to address operational issues without needing to provision servers or manage software. You can instantly begin writing queries with aggregations, filters, and regular expressions.
In addition, you can visualize time series data, drill
down into individual log events, and export query
results to
CloudWatch
Dashboards |
Provides analysis capabilities for identifying actionable intelligence from CloudWatch Logs. | Yes | |
|
Amazon OpenSearch Service |
Centralize and analyze logs from disparate applications and systems across your network for real-time threat detection and incident management. | Provides centralized real-time logging and threat detection. | Yes | |
|
Amazon GuardDuty |
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in S3. | This control detects reconnaissance activity, such as unusual API activity, intra-VPC port scanning, unusual patterns of failed login requests, or unblocked port probing from a known, bad IP address. | Yes | |
|
Amazon Inspector |
Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API. |
Provides logs from vulnerability scanning. | Yes | |
|
Amazon
Lookout for Metrics |
Amazon Lookout for Metrics uses ML to automatically detect and diagnose anomalies (such as outliers from the norm) in business and operational data. | Provides automated anomaly detection and diagnosis using ML. | Yes | |
|
Amazon Macie |
Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS. | This control discovers and protects sensitive data using ML and pattern matching. | No | |
| Amazon Route 53 Public Zone Logs and Resolver Query Logs | You can configure Route 53 to log information about the queries that Route 53 receives, such as the domain or subdomain that was requested, the date and time of the request, and the DNS record type, such as A or AAAA. | Yes | ||
| Amazon S3 Server Access Logs | Amazon S3 supports Audit Logs that list the requests made against your S3 resources for complete visibility into who is accessing what data. | Yes | ||
| Amazon VPC Flow Logs |
Amazon VPC Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in your Amazon VPC. Flow log data is stored using Amazon CloudWatch Logs. After you’ve created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs and S3, or another analytics tool. You can also use flow logs as a security tool to monitor the traffic that is reaching your instance. For more information, see Publish flow logs to CloudWatch Logs. |
Provides network information about IP traffic going to and from network interfaces in an Amazon VPC. | Yes | |
|
AWS Audit Manager |
AWS Audit Manager helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards. | Continuously audit your AWS usage to simplify how you assess risk and compliance. | Yes | |
|
AWS CloudTrail |
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.
CloudTrail provides event history of your AWS account
activity, including actions taken through the
AWS Management Console This event history simplifies security analysis, resource change tracking, and troubleshooting. You can use CloudTrail to detect unusual activity in your AWS accounts. These capabilities help simplify operational analysis and troubleshooting. |
This control helps you to monitor, detect, visualize, receive notifications, and respond to changes in your AWS resources. | Yes | |
| AWS CloudTrail Insights |
Identify unusual activity in your AWS accounts, such as spikes in resource provisioning, bursts of AWS IAM actions, or gaps in periodic maintenance activity. You can enable CloudTrail Insights events across your AWS Organization, or in individual AWS accounts in your CloudTrail trails. |
Yes | ||
|
AWS Config |
AWS Config enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With AWS Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting. |
With this control, you can assess, audit, and evaluate the configurations of your AWS resources. | Yes | |
| AWS Config Rules |
AWS Config rules are a configurable and extensible set
of
Lambda If AWS Config rules deem a configuration change to be undesirable, customers can act to remediate it. |
Provides notifications for changes to configuration, logs, detection, and reporting in the event of changes to data on a system; provides notifications for changes to configuration. | Yes | |
|
AWS Security Hub |
AWS Security Hub gives you a comprehensive view of your high-priority security alerts and compliance status across AWS accounts.
With Security Hub, you now have a single place that
aggregates, organizes, and prioritizes your security
alerts, or findings, from multiple AWS services, such as
Amazon GuardDuty A Security Hub insight is a collection of related findings defined by an aggregation statement and optional filters. An insight identifies a security area that requires attention and intervention. Security Hub offers several managed (default) insights that you cannot modify or delete. You can also create custom insights to track security issues that are unique to your AWS environment and usage. |
This control gives you a comprehensive view of your high priority security alerts and compliance status across AWS accounts. | Yes | |
| AWS Systems Manager Inventory |
AWS Systems Manager collects information about your instances and the software installed on them, helping you to understand your system configurations and installed applications. You can collect data about applications, files, network configurations, Windows services, registries, server roles, updates, and any other system properties. The gathered data enables you to manage application assets, track licenses, monitor file integrity, discover applications not installed by a traditional installer, and more. |
Identification and status information for devices and software. | Yes | |
| AWS IAM Credential Report |
You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords and MFA devices. You can use credential reports to assist in your auditing and compliance efforts. You can use the report to audit the effects of credential lifecycle requirements, such as password rotation. You can provide the report to an external auditor, or grant permissions to an auditor so that he or she can download the report directly. |
This control helps with the identification and status information for IAM users. | Yes | |
| AWS Systems Manager Session Logs |
You can use the AWS Systems Manager console, the
Amazon EC2 Depending on your permissions, you can also view information about sessions, resume inactive sessions that haven't timed out, and end sessions. In addition to providing information about current and completed sessions in the Systems Manager console, Session Manager provides you with options for logging session activity in your AWS account. |
Yes |
