Audit Trail Review with Kibana, Athena, and GuardDuty
Performing Log Review in AWS
PCI Requirement 10.6, “Review logs and security events for all system components to identify anomalies or suspicious activity.” By regularly performing log review, you can minimize breach identification and containment times. There are some types of logs that you need to review daily, like security events, logs for systems that store, process, or transmit CHD, logs for critical system components, and logs for systems that perform security functions. Other logs can be reviewed on a periodic basis, determined by your risk management strategy. We recommend involving personnel in log review, but that is not a requirement. It can be performed by personnel or automated means. The log review process doesn’t need to be manual.
To comply with PCI Requirement 10.6 in AWS, you have some options on which tools to use. AWS says, “They can use Amazon Athena to query audit trail logs saved to Amazon S3 from VPC Flow Logs, AWS CloudTrail, and Amazon CloudWatch. AWS Lambda can be deployed to load log data from Amazon CloudWatch to the Amazon Elasticsearch Service and use Kibana to visualize the events. Amazon GuardDuty and AWS Security Hub can be combined to provide automated event analysis, and paired with CloudWatch Events and AWS Lambda to provide automated remediation.”
We have a lot of logs to go through. If you are in a cloud environment like AWS and you have a PCI DSS instance – a cardholder data environment – in there, then you are collecting a world of logs. I know there are some automated tools, but PCI Requirement 10.6 requires humans to review those logs. What tools can we use to do that? AWS has three: Kibana, Athena (to query audit logs directly), and GuardDuty (which allows you to set alerts). That is going to cover part of the log review for you because you’re going to receive proactive alerts if GuardDuty is set up correctly. But, still, the need to review the logs cannot be stressed enough. Most of the recent breaches in the news could have been caught if they were reviewing their logs.