Which Services Can We Leverage?
AWS offers multiple services around logging and monitoring. For example, you have almost certainly heard of CloudTrail and CloudWatch, but they are just the tip of the iceberg.
CloudWatch Logs is the default logging service for many AWS resources (like EC2, RDS, etc.): it captures application events and error logs, and allows to monitor and troubleshoot application performance. CloudTrail, on the other hand, works at a lower level, monitoring API calls for various AWS services.
Although listing (and describing) all services made available by AWS is out of scope for this blog post, there are a few brilliant resources which tackle this exact problem:
- “How to Enable Logging on Every AWS Service in Existence (Circa 2021)” from Matt Fuller tries to be the definitive guide to answer the question “how do I enable logging?” for every supported AWS service. Alongside this, Matt published a Google Sheet summarising the content of this blog post.
- “Logging in the Cloud: From Zero to (Incident Response) Hero” are the annotated slides (131 pages!) of a good talk delivered at RSA 2020 by the Secureworks team which tries to answer questions like “What Should I Be Logging?”, “How Specifically Should I Configure it?”, and “What Should I Be Monitoring?”. Especially interesting since it doesn’t cover only AWS, but also GCP and Azure.
- “What You Need to Know About AWS Security Monitoring, Logging, and Alerting” lays out the different AWS security monitoring and logging sources, and how to select the most appropriate collection technique for each of them.
- “Overview of AWS Logs” lists main AWS logging sources with a summary table, format, example and a Grok regex to parse log and ingest into a tool like Elastic Stack (ELK).
In the remainder of this section I’ll provide a summary of the main services we will need to design our security logging platform. Before doing so, though, it might be helpful having a high-level overview of how these services communicate (special thanks to Scott Piper for the original idea)
Source: Security Logging in Cloud Environments – AWS