Principle 13: Audit information for users - Using AWS in the Context of NHS Cloud Security Guidance

Principle 13: Audit information for users

You should be provided with the audit records needed to monitor access to your service and the data held within it. The type of audit information available to you will have a direct impact on your ability to detect and respond to inappropriate or malicious activity within reasonable timescales.

The Service User should use the audit data as part of an effective pro-active monitoring regime.

Applicable risk classes: All

AWS offers a service called CloudTrail that provides audit records for AWS customers, presenting audit information in the form of log files to a specified storage location (specifically, a nominated Amazon S3 bucket). The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

CloudTrail provides a history of AWS API calls for customer accounts, including those made via the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services (such as AWS CloudFormation) that invoke those APIs on a customer’s behalf. The AWS API call history captured by CloudTrail enables security analysis, resource change tracking, and compliance auditing.

The log file objects written to Amazon S3 are granted full control to the bucket owner. The bucket owner thus has full control over whether to share the logs with any other parties. This feature provides AWS customers with a mechanism for investigating service misuse or security incidents.

For more details on AWS CloudTrail and further information on audit records, see AWS CloudTrail.

The other service relevant to this purpose is Amazon CloudWatch Logs, which enables events occurring on EC2 instances (under customer management in the Shared Responsibility Model for Security) to be written to log files in AWS for analysis (and response, if required, through the companion Amazon CloudWatch Events feature). This service is also used for longer-term storage of CloudTrail records.