CSA CCM LOG-04
Audit Logs Access and Accountability

Audit logs are a critical security control that can help detect suspicious activity in your cloud environment. Access to these sensitive logs should be tightly restricted and monitored to ensure accountability. Proper audit logging is a key component of an effective cloud security strategy.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full matrix at https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4. The CSA CCM provides a comprehensive set of cloud security best practices. For more on the importance of audit logging, check out the AWS documentation on CloudTrail Event Logging.

Who should care?

  • Cloud Security Architects designing logging and monitoring solutions
  • Cloud Operations Teams responsible for managing and securing cloud infrastructure
  • Compliance Officers ensuring alignment with relevant standards and regulations
  • Incident Responders who need audit logs for forensics and investigations

What is the risk?

Poor audit logging and access controls can allow attackers to evade detection and hide their tracks. Unauthorized access to audit logs could allow adversaries to cover up malicious activity. Incomplete logging may lead to security blind spots. Audit logs are vital for early detection of threats, effective incident response, and satisfying compliance mandates.

What's the care factor?

Audit logging should be a top priority for any organization operating in the cloud. Regulators and auditors will expect to see evidence of robust logging. In the event of a breach, detailed audit logs are critical for determining scope of impact and piecing together what happened. Don't neglect this foundational security control.

When is it relevant?

Audit logging makes sense for any production cloud environment, especially those handling sensitive data or supporting critical business functions. The more complex your cloud footprint, the more important audit logging becomes. For basic test/dev environments, logging may be less critical.

What are the trade-offs?

Logging everything will consume storage and potentially impact performance if not implemented efficiently. Start with logging key events like IAM activities, then expand coverage over time. Built-in logging may not cover all use cases, so 3rd party tools can augment native capabilities. Balance logging scope with costs and overhead.

How to make it happen?

  1. Enable AWS CloudTrail in all accounts and regions. Use an organization trail for centralized multi-account logging.
  2. Configure CloudTrail to log to a dedicated, immutable S3 bucket with access logging and versioning enabled. Use a separate account for log archival.
  3. Set up SNS notifications for CloudTrail log file delivery to monitor logging integrity.
  4. Use IAM policies and S3 bucket policies to tightly restrict access to CloudTrail logs. Grant read-only to those who need it for their roles.
  5. Configure metrics filters and alarms to alert on key events like IAM changes, console logins, unauthorized API calls, etc.
  6. Enable VPC Flow Logs, S3 Access Logs, and service-specific logging (RDS, ELB, etc) for additional event coverage. Centralize in S3 or log aggregation tools.
  7. Integrate with a SIEM for long-term storage, analysis, and correlation of logs across cloud accounts. Automated response can be implemented here.

What are some gotchas?

  • KMS key policies for encrypting logs must allow CloudTrail to use the key
  • IAM principals need cloudtrail:DescribeTrails, cloudtrail:GetTrailStatus, and cloudtrail:LookupEvents to view logs
  • Log entries may be delayed by up to 15 minutes, so real-time alerting has limitations
  • Logs tell you what happened, but not always why - enable AWS Config for greater configuration context

What are the alternatives?

Native logging tools like CloudTrail are a great start, but may not suffice for all needs. Consider augmenting with open source projects like the ELK stack or commercial offerings from Splunk, Sumo Logic, Datadog, etc. Endpoint Detection and Response (EDR) tools can provide an additional layer of visibility.

Explore further

  • Review the CIS Benchmark for AWS for specific logging best practices and configuration checks
  • Check out AWS Security Logging & Monitoring for holistic guidance
  • The SANS Cloud Security Curriculum offers in-depth training on this topic
  • CCM Controls IAM-04 and IAM-05 for related controls on monitoring and alerting on IAM activities

Blog

Learn cloud security with our research blog