Logging, Monitoring, and Detection in AWS

AWS Certified Security Specialty Exam Notes and Practice Tests Logging, Monitoring, and Detection in AWS

This section covers the following exam objective:

Domain 1: Detection
Task Statement 1.2: Design and implement logging solutions

1. Understanding Logging in AWS Security

Logging forms the foundation of detection in AWS. Without logs, there is no visibility into user activity, system behavior, or potential security threats. AWS provides multiple logging services that capture activity across accounts, networks, applications, and data layers.

In exam scenarios, you will typically need to:

Identify the appropriate log source
Select the correct storage solution
Design a centralized and scalable logging architecture

AWS Logging Strategy Overview

Layer	Log Type	AWS Service
Account / API	API activity logs	AWS CloudTrail
Network	Traffic logs	VPC Flow Logs, Transit Gateway Flow Logs
DNS	Query logs	Route 53 Resolver Logs
Application	Application logs	CloudWatch Logs
Data Access	Object-level logs	S3 Access Logs, CloudTrail Data Events

2. Identifying Log Sources

Selecting the right log source depends on:

Threat model
System architecture
Compliance requirements

Key Log Sources

Log Source	Purpose	Example Use Case
CloudTrail	Tracks API activity	Detect unauthorized IAM actions
VPC Flow Logs	Captures network traffic	Identify suspicious IP communication
Route 53 Resolver Logs	Records DNS queries	Detect data exfiltration via DNS
S3 Access Logs	Tracks object access	Monitor sensitive data usage
ELB Logs	Records load balancer traffic	Analyze web traffic patterns
CloudWatch Logs	Stores application logs	Debug and monitor applications

Exam Tip

Always enable CloudTrail across all regions to ensure complete visibility.

3. Configuring Logging for AWS Services

AWS enables automated and centralized logging configurations.

CloudTrail Best Practices

Configuration	Description
Organization Trail	Captures logs across all accounts
Multi-Region Trail	Ensures global coverage
Log File Validation	Detects log tampering
S3 + KMS Encryption	Secures log storage

CloudWatch Logging Components

Feature	Purpose
Log Groups	Store logs for applications or services
Log Streams	Separate log sources within a group
CloudWatch Agent	Sends logs from EC2 or on-premises systems

Centralized Logging Architecture

A recommended design includes:

A dedicated logging account
Centralized storage using Amazon S3
Access control via IAM policies and SCPs

Exam Insight

Centralized logging is a standard best practice for multi-account environments.

4. Log Storage and Data Lakes

Amazon Security Lake

Centralizes security logs across multiple accounts
Uses the Open Cybersecurity Schema Framework (OCSF)
Integrates with AWS services and third-party SIEM tools

S3-Based Log Data Lake

Feature	Benefit
Scalability	Virtually unlimited storage
Durability	99.999999999% durability
Integration	Works with Athena, Glue, and QuickSight

Third-Party Integrations

Common integrations include:

Splunk
Datadog
IBM QRadar

Exam Tip

Security Lake is often the preferred solution for modern centralized logging architectures.

5. Log Analysis Using AWS Services

CloudWatch Logs Insights

Enables real-time log querying using a SQL-like syntax
Ideal for troubleshooting and quick analysis

Amazon Athena

Queries logs stored in S3
Serverless and cost-effective for historical analysis

AWS Security Hub

Aggregates and normalizes security findings
Uses the AWS Security Finding Format (ASFF)

Service Comparison

Service	Best Use Case
CloudWatch Logs Insights	Real-time debugging
Amazon Athena	Historical log analysis
Security Hub	Aggregation of security findings

6. Log Normalization, Parsing, and Correlation

Logs from different services often have inconsistent formats. Normalization helps:

Standardize log structure
Simplify correlation across services
Improve threat detection accuracy

Amazon OpenSearch Service

Provides full-text search capabilities
Enables log analytics dashboards
Functions similarly to a SIEM system

AWS Lambda for Log Processing

Transforms and enriches logs
Routes logs to downstream services

Amazon Managed Grafana

Visualizes logs and metrics
Integrates with CloudWatch and OpenSearch

Example Log Processing Pipeline

CloudTrail → S3 → Lambda → OpenSearch → Grafana

7. Network-Based Logging

VPC Flow Logs

Capture:

Source and destination IP addresses
Ports
Traffic status (accept/reject)

Transit Gateway Flow Logs

Monitor traffic between VPCs
Useful in multi-account architectures

Route 53 Resolver Logs

Capture DNS queries
Help detect data exfiltration and malicious domains

Threat Mapping

Threat Type	Log Source
Data exfiltration	Route 53 logs
Lateral movement	VPC Flow Logs
Unauthorized API calls	CloudTrail
Suspicious traffic	Flow Logs

8. Key Logging Architecture Pattern

Centralized Logging Pipeline

CloudTrail logs → Amazon S3
VPC Flow Logs → CloudWatch or S3
Logs aggregated into Security Lake
Analysis using Athena or OpenSearch
Security Hub aggregates findings

9. Key Exam Tips

Tip 1: CloudTrail Configuration

Always select:

Multi-region trails
Organization-wide trails
Encrypted S3 storage

Tip 2: Centralized Logging

Use:

A dedicated logging account
S3-based data lake
Amazon Security Lake

Tip 3: Log Analysis Strategy

Real-time analysis → CloudWatch Logs Insights
Historical analysis → Amazon Athena

Tip 4: Network Threat Detection

VPC Flow Logs → Traffic monitoring
Route 53 Logs → DNS analysis

Tip 5: Log Correlation

Use:

OpenSearch
Lambda
Security Hub

Tip 6: SIEM Integration

Combine:

Security Lake
OpenSearch
Third-party tools

Tip 7: Data Protection

Encrypt logs using AWS KMS
Restrict access using IAM policies

Final Thoughts

Designing effective logging solutions in AWS requires a focus on visibility, centralization, and analysis.

For the exam, prioritize:

Selecting the correct log sources
Centralizing logs using S3 or Security Lake
Using Athena, CloudWatch, and OpenSearch for analysis
Correlating logs to detect and respond to threats effectively

Previous Lesson

Back to Course

Next Lesson