AWS Cloud Security Best Practices: Logging and Monitoring Cloud Activity

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

In the fast-paced and dynamic world of cloud services, staying on top of cyber threats requires organizations to be proactive about the health, performance, and security of their cloud environments. As a major cloud service provider, Amazon Web Services (AWS) provides various tools and services for logging and monitoring cloud activity, enabling organizations to gain critical insights about their cloud operations. 

In this blog post, we continue our blog series on AWS cloud security best practices and explain the best practices for logging and monitoring AWS cloud activity.

Validate Your Cloud Security Posture with The Picus Platform

Logging and Monitoring Best Practices in AWS Cloud

AWS CloudTrail is a logging and monitoring service that retains API calls and actions taken within an AWS account. CloudTrail provides a detailed history of activities and events, making it a valuable tool for incident response and troubleshooting. Events captured by CloudTrail can be sent to SIEM for further analysis or an S3 bucket for long-term storage. CloudTrail consists of the following components:

  • Event Source: Any AWS service or resource that generates events is labeled as an event source in AWS CloudTrail. These sources include Amazon S3, AWS Lambda, Amazon EC2, AWS IAM, and many others. Similar to log sources in operating systems, event sources provide log data that CloudTrail collects.

  • Event: An event is a record of a specific action or API calls made within an AWS account. Events contain information such as the identity of the user or service that made the call, the action performed, the time of the event, and details about the affected AWS resource. CloudTrail captures events generated by AWS services and resources.

  • Trail: A trail is a configuration that specifies the settings for recording events. Users can create multiple trails within their AWS account, each with its own settings. Trails can be configured to capture events from specific regions and services, and they specify where the event log files should be stored, such as an Amazon S3 bucket.

  • Log File: AWS CloudTrail generates log files that contain information about the events captured by the trail. These log files are stored in an Amazon S3 bucket specified in the trail configuration. Log files are organized by date and time and can be encrypted for security.

  • Event History: The CloudTrail Event History is a chronological view of recorded events within an AWS account. It provides a searchable and filterable interface for exploring log data, making it easier to investigate events, troubleshoot issues, and analyze account activity.

AWS CloudTrail is a great tool for organizations looking to maintain the integrity of their cloud infrastructure, detect and respond to security incidents, and meet regulatory requirements effectively. Here are some of the best practices for AWS CloudTrail.

Enable CloudTrail in all regions

Configuring trails in CloudTrail is the first step of logging and monitoring in AWS cloud environments. Organizations start with creating trails and a separate S3 bucket to store generated log data. When configuring trails, the "apply trail to all regions" should be enabled. This option enables organizations to collect log data from every AWS region and simplifies log management by centralizing event history. If the "apply trail to all regions" option is not enabled, CloudTrail only tracks the AWS region used to create the trail and limits security teams' visibility on events and incidents.

Use separate S3 buckets for storing log data

Security teams rely heavily on log data for incident response and recovery as it provides valuable information about an incident and cyber attack. Therefore, the availability of log data is crucial for security teams and should be maintained at all times, especially during and after cyber attacks. Adversaries also know the importance of log data for organizations, and they often attempt to delete or damage databases that store log data to prevent organizations from investigating or responding to cyber attacks. For these reasons, log data collected by CloudTrail should be stored in separate Amazon S3 buckets and not be mixed with other data. This S3 bucket should also have additional security controls such as restricted access, delete protection, and multi-factor authentication to ensure the security of log data.

Enable log validation

In the event of a security incident or breach, security teams need to be sure that any unauthorized user or service has not altered the log data. The integrity of log data should be maintained to accurately reflect the events and actions that occurred in the AWS cloud. Since adversaries may tamper with log data to remove the evidence of the compromise, organizations should validate the log data and ensure the authenticity of log files. 

CloudTrail has a built-in log validation feature, allowing organizations to verify the authenticity of log data using cryptographic hashing techniques. By enabling log validation, organizations can ensure that their log records remain authentic and reliable sources of information about AWS account activity. Validated log data can also be used as evidence in legal proceedings or disputes by demonstrating that log data is tamper-evident and has not been altered

Encrypt log data

In addition to the integrity and availability of the log data, organizations need to ensure the confidentiality of their log data. Since log data contains private information about users and services in AWS, unauthorized parties should not be able to read or use it. Even if adversaries were able to access the S3 bucket storing log data, they should not be able to extract any meaningful information from it. 

Encrypting log data is a great way to ensure confidentiality of log data. With proper key management, organizations can store their log data securely. AWS Key Management Service (KMS) is a fully managed encryption service that enables organizations to create, manage, and control cryptographic keys used to encrypt and decrypt any data in the cloud.  Although CloudTrail encrypts all log data by default, organizations should encrypt log files at rest using AWS KMS. This adds an additional layer of protection to the log data.

Monitor events for malicious activity 

As a part of their main responsibilities, security teams look for any suspicious activity in their on-premise and cloud infrastructure. They should  monitor their infrastructure to prevent or detect activities that are harmful to their organization's operations or prohibited by their policies. In AWS Cloud, two different services, GuardDuty and CloudWatch, help organizations monitor their cloud environments and detect malicious activities.

AWS GuardDuty is a managed threat detection service that helps organizations continuously monitor for malicious or unauthorized activity. GuardDuty provides an AWS-managed list of findings on potential security issues and uses machine learning to analyze collected log data for threat detection. Since it does not require manual setup and maintenance, organizations can deploy GuardDuty without too much effort. The other monitoring tool for AWS Cloud is CloudWatch. It is a monitoring and observability service that allows organizations to create custom metrics and set alarms for any breached metric. Unlike GuardDuty, CloudWatch is required to be set up manually and maintained. On the other hand, it gives greater control over detection rules and allows security teams to fine-tune their detection process in the cloud. In addition to AWS native services, organizations can also use their SIEM solutions to collect and analyze the CloudTrail logs for threat detection. It should be noted that detection alerts are part of the incident response, and organizations must have policies and procedures for the entire incident response process.

Picus Cloud Security Validation 

As organizations continue to migrate their workloads to the cloud, the need for automated cloud security posture management becomes more prominent. Picus Cloud Security Validation enables you to address cloud security issues before a breach happens. It allows security teams to audit their essential AWS services, identify misconfigured IAM policies, and validate their gaps with simulated attacks. Picus also provides actionable insights to help you address misconfigurations in your AWS environment. Reports and dashboards provided by Picus Cloud Security Validation enable you to track improvements to your cloud security posture and share results.

Conclusion

Amazon Web Services (AWS) continues to grow as a major cloud service provider, and many organizations increasingly use cloud services to run their operations. However, being in the cloud does not eliminate cyber security risks, and organizations are still responsible for ensuring the security of their business. Organizations are advised to follow the best practices outlined in this blog series to stay ahead of cyber threat actors.

  • Cloud environments are very dynamic. Tracking your assets and vulnerabilities is the key to addressing security gaps in your cloud infrastructure.

  • Identity and Access Management is critical for cloud security. Organizations need to follow the principle of least privilege (PoLP), fine-tune permissions, and enforce strict password policies.

  • Collecting log data is vital to understanding what is happening in the cloud. Collecting, securing, and monitoring log data is key to identifying and addressing threats before they can result in serious cloud breaches.