Security incidents are unavoidable. No matter how strong your security posture, mistakes can still happen. What sets a great security program apart from a good one is the ability to detect and respond to these incidents.
Incident response relies on two key components: logging and monitoring. Logging provides visibility into your cloud environment, while monitoring analyzes the logs to identify unusual activity that may signal a security threat. Implementing both ensures you are proactively alerted to potential threats and equipped to identify and resolve misconfigurations.
In our fourth installment on the AWS Top 10 Security Risks, we’ll discuss the #4 priority for securing your AWS accounts: enhancing logging and monitoring. This series highlights the most common security issues we at Cloud Security Partners have seen in our customers’ AWS accounts, and how to best address them.
Building a Robust Logging Strategy
Working on an incident without proper logging and monitoring is very difficult. It is challenging to pinpoint the cause of an incident, assess the scope of a breach, or even determine how long the incident remained uncontained. Logging and monitoring help gather information to make this task much easier.
Comprehensive logging helps identify when sensitive events occur within your environment. This provides insights that can help diagnose issues, contain incidents, and implement robust fixes. Monitoring takes this a step further by allowing you to proactively detect potential threats and minimize response times during an incident.
For maximum effectiveness, logging and monitoring should be enabled strategically. The two key components of this strategy are visibility and searchability.
Visibility is important to gather clear insights into all system components. In AWS, this is done by enabling monitoring on all resources, all regions, and all accounts.
However, access to data is not enough. Searchability is important to effectively retrieve and analyze logs and turn them into actionable findings. In AWS, this is enabled by collecting all logs and metrics in a single, central place and integrating with analysis pipelines.
Core AWS Logging and Monitoring Tools
AWS makes it easy to enable a logging and monitoring strategy. The three main tools to enable are AWS CloudTrail, AWS CloudWatch, and AWS Config.
AWS CloudTrail: Visibility into API Activity
CloudTrail is a logging service that tracks all user-initiated events and API calls. It is critical for tracing an attacker’s path through your environment.
When enabling CloudTrail, it is important to turn on log file validation to ensure integrity and to also enable Data Event logging for added visibility into object-level actions.
aws cloudtrail create-trail \
--name MyCloudTrail \
--s3-bucket-name MyLoggingBucket \
--is-multi-region-trail \
--enable-log-file-validation
AWS CloudWatch: Configurable Monitoring
CloudWatch allows you to set up alarms and metrics for various security-related events, and can help proactively monitor for security threats. Metrics like login failures and unusual API activity can be tracked using a CloudWatch alarm and even trigger automated responses using Lambdas.
An example alarm can be enabled with:
aws cloudwatch put-metric-alarm \
--alarm-name LoginFailuresAlarm \
--metric-name FailedAuthenticationAttempts \
--namespace AWS/CloudTrail \
--statistic Sum \
--threshold 10 \
--comparison-operator GreaterThanOrEqualToThreshold \
--evaluation-periods 1 \
--alarm-actions arn:aws:sns:region:account-id:AlertTopic \
--dimensions Name=Region,Value=us-east-1 \
--period 300
AWS Config: Governance and Compliance Visibility
AWS Config monitors configuration changes in your AWS environment and alerts you to misconfigurations, while also enabling continuous compliance checks against cloud security standards.
aws configservice put-configuration-recorder \
--configuration-recorder name=Default \
--role-arn arn:aws:iam::account-id:role/your-aws-config-role
Other logging and monitoring tools that should be enabled are:
- VPC Flow logs, for logging network traffic within your AWS environment
- Route 53 DNS logs, for detecting suspicious DNS traffic
- GuardDuty, for threat detection monitoring
- Security Hub, for a unified dashboard of security findings
Enabling the above tools across your AWS environment ensures that you have visibility across your management and resource settings and monitoring for security-related events. To enable searchability, you should also centralize your logs.
Centralizing and Monitoring your Logs
Having access to these logs is a great first step, but to have actionable findings, you need to centralize and analyze them. To do this, you should follow two steps: centralizing your logs and integrating with a Security Incident and Event Management (SIEM) platform.
Logs can be centralized by using a platform like Amazon Security Lake. If cost is a concern, S3 is also another option for log management. It is important to ensure that these logs are immutable; gathering data is of no use if an attacker can delete them.
After you have selected your log management platform, you should integrate it with an SIEM.
SIEM platforms are designed to analyze security logs. They allow you to correlate data across multiple datasets, which can help identify complex attack patterns. Splunk and Datadog are two good options for SIEMs that integrate directly with AWS.
After you have integrated your SIEM, you can configure it with rules to detect patterns you are worried about. Now you have a robust logging and monitoring system that aggregates data and can respond to incidents both proactively and reactively.
Best Practices for Logging and Monitoring
Here are a couple of best practices to follow as you’re building your logging and monitoring strategy:
- Enable all logging services by default.
Whenever new resources are created, ensure that logging is enabled by default to prevent visibility gaps.
Create AWS Config rules to verify that all appropriate logging measures are turned on.
Attach Service Control Policies to your account to prevent disabling any monitoring services, and to block deletion or modifications of your log buckets.
- Ensure logs are stored immutably.
Logs should be resiliently stored so that even if attackers get access to your environment, they cannot delete a trace of their activity.
Create your logging S3 bucket with S3 Object Lock and with an appropriate retention period to prevent deletion.
Turn on log file integrity validation on your CloudTrail log files to ensure they cannot be tampered with.
- Periodically test your logging and monitoring pipeline.
Test your infrastructure to make sure everything is working properly. Simulate incidents by triggering misconfigurations manually, and check that your alarms all properly trigger.
Checklist for Enabling Logging and Monitoring
- Enable Logging tools
- AWS CloudTrail
- AWS Config
- VPC Flow logs
- Route 53 DNS logs
- Centralize your Logs
- Set up an S3 bucket with Object Lock Enabled; or
- Set up Amazon Security Lake
- Forward your logs using Kinesis Firehose
- Set up Monitoring
- Enable GuardDuty
- Set up AWS CloudWatch alarms
- Select an SIEM, like Splunk or Datadog
- Create rules within your SIEM
- Test your logging and monitoring pipeline
Conclusion
Logging and monitoring are two of the main components of a secure AWS environment. By setting up appropriate logging pipelines and robust monitoring against your logs, you’ll be able to proactively detect security threats and react quickly to fix security issues.
This post is the fourth in our series on the AWS Top 10 Security Risks: each installment will dive deeper into the most common risks we see across customer environments and how to fix them. Stay tuned for the next blog, and if you’d like expert help evaluating your cloud security, reach out to Cloud Security Partners for a comprehensive assessment of your AWS environment.
Stay in the loop.
Subscribe for the latest in AI, Security, Cloud, and more—straight to your inbox.
