Logging Solutions
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing AWS Certified Security - Specialty premium course — no separate purchase.
Included in this chapter:
- The log-source catalog: pick the source by the threat
- Centralize delivery in a dedicated logging account
- Make the record tamper-evident and immutable
- Normalize and analyze: Security Lake, Athena, Logs Insights, OpenSearch
Log-source catalog: which source answers which question
| Log source | What it records | Default destination(s) | Primary use |
|---|---|---|---|
| CloudTrail management events | Control-plane API and console activity (who did what) | S3 (and optional CloudWatch Logs, EventBridge) | Account audit, on by default in a trail |
| CloudTrail data events | Data-plane object/item access (e.g. S3 GetObject, Lambda Invoke) | S3 (must be explicitly enabled, extra cost) | Sensitive-data access auditing |
| VPC Flow Logs | IP traffic metadata accepted/rejected at the ENI | CloudWatch Logs, S3, or Data Firehose | Network forensics, security-group debugging |
| Route 53 Resolver query logs | DNS names resolved by resources in the VPC | CloudWatch Logs, S3, or Data Firehose | Detecting exfiltration and C2 by domain |
| CloudFront / ELB / S3 access logs | Application-layer HTTP/request records | S3 | Web request analysis and abuse investigation |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
References
- AWS CloudTrail concepts
- VPC Flow Logs
- Route 53 Resolver query logging
- Transit Gateway Flow Logs
- Creating a trail for an organization
- Publishing flow logs to Amazon S3
- Validating CloudTrail log file integrity
- Using S3 Object Lock
- Configuring MFA delete
- Working with CloudTrail Lake
- What is Amazon Security Lake?
- Analyzing log data with CloudWatch Logs Insights