Study Guides/AWS Cybersecurity Notes/Logging and Monitoring

From Cramsession
Jump to navigationJump to search
✍️ Verified Author: MflavellClick to view professional profile & credentials

Logging and Monitoring

The use of Cloud Watch is a important consideration - This can capture logs from AWS services and metrics to enable automation.


Logging is of vital importance in diagnosis of security and performance issues in AWS.


It is possible to capture all logs in an S3 bucket, however this comes with a condition:

The access logs for the logging S3 bucket cannot be stored inside itself.
You will therefore need a seperate bucket for storing your S3 logging access logs.
Access logging for the S3 logging bucket is highly recommended - an attacker may target logging to inject bad data or delete records.
Best practice is to create a access policy to ensure only the security team can read data from these buckets.


[Main Logging bucket]
          |
         \|/
writes access logs to
          |
         \|/
  [S3 logging bucket]


Delays in S3 logging

Data is pushed to the S3 logging bucket on a "best effort" process.

It can take a few hours to deliver s3 logs.
S3 Logs will not be in realtime.
AWS has a massive shared disk system - this is the reason behind the delay.


Enabling S3 access logs

This assumes you already have a bucket you want to log.

  • Create a bucket to log data to.

Crearte a JSON file to define where to place logs: 

{
  "LoggingEnabled": {
      "TargetBucket": "logging bucket",
      "TargetPrefix": "S3Logs/"
  }
}

Push the json file: 

aws s3api put-bucket-logging --bucket s3_bucket_to_log --bucket-logging-status file://s3logs.json
Retrieved from "https://cramsession.net/index.php?title=Study_Guides/AWS_Cybersecurity_Notes/Logging_and_Monitoring&oldid=1645"