Troubleshooting Logging Solutions in AWS
This section covers the following exam objective:
Domain 2: Incident Response
Task: Investigate and respond to incidents
1. Understanding Logging Troubleshooting in AWS
Troubleshooting logging in AWS involves identifying why logs are missing, delayed, or incomplete, and then applying the correct remediation. Logs are only valuable when they are:
- Consistently generated
- Securely stored
- Easily accessible for analysis
In exam scenarios, expect to:
- Diagnose missing logs
- Identify IAM or permission issues
- Fix misconfigured log destinations
2. AWS Logging Services and Troubleshooting Focus
Each AWS service has unique logging behavior, and misconfigurations are a frequent exam topic.
| Service | Capabilities | Common Issues |
|---|---|---|
| AWS CloudTrail | API activity, data events, multi-region & org trails | Not enabled in all regions, S3 bucket policy issues, missing KMS permissions |
| VPC Flow Logs | Network traffic at ENI, subnet, or VPC level | Unsupported resource, IAM role issues, missing log group |
| Route 53 Resolver Logs | DNS query logging | Not enabled in VPC, CloudWatch permission issues |
| CloudWatch Logs | Application and service logs | Agent misconfiguration, missing permissions, expired retention |
| ELB Access Logs | HTTP/S request logging | Logging not enabled, S3 bucket permission issues |
| S3 Access Logs / Data Events | Object-level access tracking | Logging not enabled, incorrect bucket policy |
Exam Tip
If logs are missing:
➡️ First verify the service supports the required log type
➡️ Then check IAM permissions and destination configuration
3. Log Attributes That Impact Troubleshooting
Several log characteristics can affect visibility:
Log Level
- DEBUG, INFO, WARN, ERROR
- Low verbosity may hide important events
Log Type
- Security → CloudTrail
- Network → VPC Flow Logs
- DNS → Route 53
- Application → CloudWatch Logs
Timing
- Some logs (e.g., CloudTrail) may be delayed (up to ~15 minutes)
Immutability
- S3 Object Lock prevents deletion or modification
Exam Tip
If logs appear missing but logging is enabled:
➡️ Consider verbosity level or delivery delay
4. IAM and Permission Dependencies
Permissions are one of the most common causes of logging failures.
Key Permission Requirements
- S3 Bucket Policy → Must allow
s3:PutObjectfrom logging services - CloudWatch Logs → Requires:
logs:CreateLogStreamlogs:PutLogEvents
- KMS Permissions → Required for encrypted logs
- Cross-Account Logging → Needs proper bucket policies for write access
Exam Tip
Missing logs are often caused by:
➡️ IAM role issues
➡️ S3 bucket policy misconfigurations
5. Common Troubleshooting Scenarios
CloudTrail Logs Not Delivered
Causes:
- Trail not multi-region
- S3 bucket policy denies access
- Missing KMS permissions
Fix:
- Enable multi-region / organization trail
- Update S3 and KMS policies
VPC Flow Logs Missing
Causes:
- Unsupported resource (e.g., NAT Gateway)
- IAM role misconfigured
- Log group deleted
Fix:
- Enable on supported resources
- Reconfigure IAM role
- Recreate log group
CloudWatch Logs Empty
Causes:
- Application not sending logs
- Agent misconfigured
- Wrong namespace
Fix:
- Reconfigure agent
- Verify IAM permissions
- Align namespace and log group
S3 Access Logs Not Generated
Causes:
- Logging not enabled
- Incorrect target bucket configuration
Fix:
- Enable logging
- Validate bucket policy
DNS Logs Missing
Causes:
- Query logging not enabled
- Not associated with VPC
- Permission issues
Fix:
- Enable Route 53 Resolver logging
- Verify CloudWatch permissions
6. Example: Debugging CloudTrail Log Delivery
Scenario
CloudTrail is enabled, but logs are not appearing in the S3 bucket.
Troubleshooting Steps
- Confirm the trail is active and multi-region
- Verify S3 bucket policy allows
cloudtrail.amazonaws.com - Check KMS permissions for encryption
- Review CloudTrail delivery status for errors
Key Insight
Most CloudTrail issues are caused by:
➡️ S3 bucket policy
➡️ KMS permission misconfiguration
7. Key Exam Tips
CloudTrail
- Must be multi-region for full visibility
- Issues usually involve S3 or KMS permissions
VPC Flow Logs
- Only supported resources generate logs
- IAM role configuration is critical
CloudWatch Logs
- Check
logs:PutLogEventspermission - Validate agent configuration
S3 Access Logs
- Must be explicitly enabled
- Target bucket must allow writes
DNS Logs
- Must be associated with a VPC
- Check CloudWatch permissions
General Troubleshooting Strategy
- Verify log type is correct
- Check permissions (IAM, S3, KMS)
- Validate configuration (region, service enablement)
- Consider delays before assuming failure
Important Insight
Sometimes logs appear missing because:
- They were deleted due to retention policies
- They were filtered out due to low verbosity
Final Thoughts
Troubleshooting AWS logging requires a methodical approach:
- Confirm the correct logging service is used
- Validate IAM and resource permissions
- Check destination configurations
- Account for log timing and verbosity
Focus Areas for the Exam
- Diagnosing missing logs
- Identifying permission issues
- Fixing misconfigurations
- Understanding logging service limitations
Mastering these troubleshooting patterns will help you quickly identify root causes in exam scenarios and apply the same skills in real-world AWS environments.
