Security OU – Log Archive account - AWS Prescriptive Guidance

Security OU – Log Archive account

The following diagram illustrates the AWS security services that are configured in the Log Archive account.

        Security services for Log Archive account

The Log Archive account is dedicated to ingesting and archiving all security-related logs and backups. With centralized logs in place, you can monitor, audit, and alert on Amazon S3 object access, unauthorized activity by identities, IAM policy changes, and other critical activities performed on sensitive resources. The security objectives are straightforward: This should be immutable storage, accessed only by controlled, automated, and monitored mechanisms, and built for durability (for example, by using the appropriate replication and archival processes). Controls should be implemented at depth to protect the integrity and availability of the logs and log management process. In addition to preventive controls, such as assigning least privilege roles to be used for access and encrypting logs with a controlled AWS KMS key, use detective controls such as AWS Config to monitor (and alert and remediate) this collection of permissions for unexpected changes.

Design consideration

Operational log data used by your infrastructure, operations, and workload teams often overlaps with the log data used by security, audit, and compliance teams. We recommend that you consolidate your operational log data into the Log Archive account. Based on your specific security and governance requirements, you might need to filter operational log data saved to this account. You might also need to specify who has access to the operational log data in the Log Archive account.

Types of logs

The primary logs shown in the AWS SRA include AWS CloudTrail (organization trail), Amazon VPC flow logs, access logs from Amazon CloudFront and AWS WAF, and DNS logs from Amazon Route 53. These logs provide an audit of actions taken (or attempted) by a user, role, AWS service, or network entity (identified, for example, by an IP address). Other log types (for example, application logs or database logs) can be captured and archived as well. For more information about log sources and logging best practices, see the security documentation for each service.

Amazon S3 as central log store

By logging to a dedicated and centralized S3 bucket that resides in a dedicated account, you can enforce strict security controls, access, and separation of duties.

By default, the log files delivered by CloudTrail to the bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you should use server-side encryption with AWS KMS keys that you manage (SSE-KMS) on all security log files. With this feature, in order to read log files, a user must have both Amazon S3 read permissions for the bucket that contains the log files and an IAM policy or role applied that allows decrypt permissions by the associated key policy. Additionally, CloudTrail provides log file integrity validation to determine whether a log file was modified or deleted after CloudTrail delivered it.

Configure the multi-factor authentication (MFA) Delete feature for the log archive bucket to ensure that any attempt to change the versioning state of the bucket or to permanently delete an object version requires additional authentication. This helps prevent any operation that could compromise the integrity of your log files.

You can use the Amazon S3 object lifecycle management rules to define your own retention policy to better meet your business and auditing needs. For example, you might want to archive log files that are more than a year old in Amazon S3 Glacier, or delete log files after a certain amount of time has passed.

In addition to protecting the S3 bucket itself, you should adhere to the principle of least privilege for the logging services (for example, CloudTrail) and the Log Archive account. For example, users with permissions granted by the AWS managed IAM policy AWSCloudTrail_FullAccess have the ability to disable or reconfigure the most sensitive and important auditing functions in their AWS accounts. Limit the application of this IAM policy to as few individuals as possible.

Use detective controls, such as those delivered by AWS Config and AWS IAM Access Analyzer, to monitor (and alert and remediate) this broader collective of preventive controls for unexpected changes.

For a deeper discussion of security best practices for S3 buckets, see the Amazon S3 documentation, online tech talks, and blog posts.

Security service guardrails

In the AWS SRA, AWS Security Hub, Amazon GuardDuty, Amazon Macie, AWS Config, AWS IAM Access Analyzer, AWS CloudTrail organization trails, and Amazon EventBridge are deployed with appropriate delegated administration to the Security Tooling account. This enables a consistent set of guardrails and provides centralized monitoring, management, and governance across your AWS organization.