Security control recommendations for logging and monitoring - AWS Prescriptive Guidance

Security control recommendations for logging and monitoring

Logging and monitoring are important aspects of threat detection. Threat detection is one of the security perspective capabilities in the AWS Cloud Adoption Framework (AWS CAF). By using log data, your organization can monitor your environment to understand and identify potential security misconfigurations, threats, and unexpected behaviors. Understanding potential threats can help your organization prioritize security controls, and effective threat detection can help you respond to threats more quickly.

Configure at least one multi-Region trail in CloudTrail

AWS CloudTrail helps you audit the governance, compliance, and operational risk of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDKs and APIs. This event history helps you analyze your security posture, track resource changes, and audit compliance.

For an ongoing record of events in your AWS account, you must create a trail. Each trail should be configured to log events in all AWS Regions. By logging events in all AWS Regions, you ensure that all events that occur in your AWS account are logged, regardless of which AWS Region they occurred in. A multi-Region trail ensures that global service events are logged.

For more information, see the following resources:

Configure logging at the service and application level

The AWS Well-Architected Framework recommends that you retain security event logs from services and applications. This is a fundamental principle of security for audit, investigations, and operational use cases. Service and application log retention is a common security requirement that is driven by governance, risk, and compliance (GRC) standards, policies, and procedures.

Security operations teams rely on logs and search tools to discover potential events of interest that might indicate unauthorized activity or unintentional change. You can enable logging for different services, depending on the use case. For example, you can log Amazon S3 bucket access, AWS WAF web ACL traffic, Amazon API Gateway traffic at the network layer, or Amazon CloudFront distributions.

For more information, see the following resources:

Establish a centralized location for analyzing logs and responding to security events

Manually analyzing logs and processing information is insufficient to keep up with the volume of information associated with complex architectures. Analysis and reporting alone don't facilitate event assignment to the correct resource in a timely fashion. The AWS Well-Architected Framework recommends that you integrate AWS security events and findings into a notification and workflow system, such as a ticketing, bug, or security information and event management (SIEM) system. These systems help you assign, route, and manage security events.

For more information, see the following resources:

Prevent unauthorized access to S3 buckets that contain CloudTrail log files

By default, CloudTrail log files are stored in Amazon S3 buckets. It is a security best practice to prevent unauthorized access to any Amazon S3 bucket that contains CloudTrail log files. This helps you maintain the integrity, completeness, and availability of these logs, which is crucial for forensic and auditing purposes. If you want to log data events for S3 buckets that contain CloudTrail log files, you can create a CloudTrail trail for this purpose.

For more information, see the following resources:

Configure alerts for changes to security groups or network ACLs

A security group in Amazon Virtual Private Cloud (Amazon VPC) controls the traffic that is allowed to reach and leave the resources that it is associated with. A network access control list (ACL) allows or denies specific inbound or outbound traffic at the subnet level of the VPC. These resources are critical to managing access in your AWS environment.

Create and configure an Amazon CloudWatch alarm that notifies you if a security group or network ACL configuration changes. Configure this alarm to alert you every time an AWS API call is performed to update security groups. You can also use services, such as Amazon EventBridge and AWS Config, to automatically respond to these types of security events.

For more information, see the following resources:

Configure alerts for CloudWatch alarms that enter the ALARM state

In CloudWatch, you can specify what actions an alarm takes when it changes state between the OK, ALARM, and INSUFFICIENT_DATA states. The most common type of alarm action is to notify one or more people by sending a message to an Amazon Simple Notification Service (Amazon SNS) topic. You can also configure alarms to create OpsItems or incidents in AWS Systems Manager.

We recommend that you activate alarm actions to automatically alert if a monitored metric is outside of the defined threshold. Monitoring alarms helps you identify unusual activities and quickly respond to security and operational issues.

For more information, see the following resources: