Domain 1 of 6 · Chapter 2 of 3

Logging Solutions

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing AWS Certified Security - Specialty premium course — no separate purchase.

Included in this chapter:

  • The log-source catalog: pick the source by the threat
  • Centralize delivery in a dedicated logging account
  • Make the record tamper-evident and immutable
  • Normalize and analyze: Security Lake, Athena, Logs Insights, OpenSearch

Log-source catalog: which source answers which question

Log sourceWhat it recordsDefault destination(s)Primary use
CloudTrail management eventsControl-plane API and console activity (who did what)S3 (and optional CloudWatch Logs, EventBridge)Account audit, on by default in a trail
CloudTrail data eventsData-plane object/item access (e.g. S3 GetObject, Lambda Invoke)S3 (must be explicitly enabled, extra cost)Sensitive-data access auditing
VPC Flow LogsIP traffic metadata accepted/rejected at the ENICloudWatch Logs, S3, or Data FirehoseNetwork forensics, security-group debugging
Route 53 Resolver query logsDNS names resolved by resources in the VPCCloudWatch Logs, S3, or Data FirehoseDetecting exfiltration and C2 by domain
CloudFront / ELB / S3 access logsApplication-layer HTTP/request recordsS3Web request analysis and abuse investigation

Decision tree

What must the logdesign answer?Who did what?One account orwhole org?OneMulti-Region trailsingle accountOrgOrganization trailall accounts, lockedWhich flows allowed?VPC Flow LogsACCEPT / REJECT metadataWhat name resolved?Route 53 Resolver logsDNS query recordThen protectthe storeSurvive a maliciousadministrator?S3 Object Lockcompliance mode WORMMany formatsfor a SIEM?Security LakeOCSF Parquet in S3Always: CloudTrail log file integrity validation onhourly chained SHA-256 digests prove nothing was altered

Cheat sheet

  • A trail logs management events by default, but data and Insights events cost extra and are off
  • CloudTrail logs four event types, each a different layer
  • Event history keeps only 90 days of management events and can't be turned on retroactively
  • Use a multi-Region trail so one trail captures every enabled Region
  • An organization trail logs every account and members can't disable it
  • Centralize logs in a dedicated account workloads can write to but not read or delete
  • Enable log file integrity validation to prove logs weren't altered
  • Lock the log bucket with S3 Object Lock compliance mode to survive a malicious admin
  • S3 MFA Delete adds an MFA token requirement to delete a version
  • VPC Flow Logs capture traffic metadata, not packet payloads
  • Create a flow log at the VPC, subnet, or ENI level
  • Use Route 53 Resolver query logs to catch DNS-based exfiltration and C2
  • Transit Gateway Flow Logs cover traffic crossing the transit gateway
  • Add application-layer access logs for HTTP-level evidence
  • Security Lake normalizes sources to OCSF Parquet in your own S3
  • Security Lake subscribers get either query access or data access
  • Use a CloudTrail Lake event data store for queryable, immutable long-term history
  • Pick CloudWatch Logs Insights for fast interactive triage on live logs
  • Use Athena for cheap SQL over logs sitting in S3
  • Reach for OpenSearch Service when you need full-text search and SIEM-style dashboards
  • Lambda, Managed Grafana, and OpenSearch are the normalize-parse-correlate toolkit
  • A Logs Insights top-N query is filter, then stats ... by field, then sort desc, then limit
  • Group a Logs Insights count by bin(15m) to get a time-series, and filter again after stats to threshold it
  • Use pkt-srcaddr/pkt-dstaddr to see the original pre-NAT IPs in a flow log
  • A cross-account CloudWatch Logs destination needs a destination access policy for senders
  • Firehose invokes the transform Lambda synchronously with a 6 MB limit and routes failures to a backup folder
  • Route 53 Resolver query logging records only unique queries, not cache hits

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. AWS CloudTrail concepts
  2. VPC Flow Logs
  3. Route 53 Resolver query logging
  4. Transit Gateway Flow Logs
  5. Creating a trail for an organization
  6. Publishing flow logs to Amazon S3
  7. Validating CloudTrail log file integrity
  8. Using S3 Object Lock
  9. Configuring MFA delete
  10. Working with CloudTrail Lake
  11. What is Amazon Security Lake?
  12. Analyzing log data with CloudWatch Logs Insights