Logging Tools in AWS
Using CloudTrail, CloudWatch, and Config
In AWS environment, PCI Requirement 10 translates to logging. It states, “Track and monitor all access to network resources and cardholder data.” Without logging mechanisms in place, it’s nearly impossible to track access to CHD and user activity. If data is compromised in your AWS environment, how would you determine the cause? Logging plays a crucial role in minimizing the impact of a data breach or security incident.
AWS recommends using three services to support proper logging and monitoring:
- AWS CloudTrail is a key service for governance and risk auditing because it tracks all AWS account activity and actions.
- Amazon CloudWatch is a log aggregator, and the monitoring and observability arm for applications on AWS.
- AWS Config gives you the ability to record and evaluate the configurations of your AWS resources.
We also recommend using Kibana, an open-source tool for visualization, in combination with AWS services for logging and monitoring.
Transcription
When it comes to PCI Requirement 10, we are talking about logging. We are discussing audit trails and how to keep them secure. It is the integrity of the logs that ultimately matter because if something goes wrong and you need to get into a security incident or data breach, then you will have to go back to your logs. AWS gives you tools built-in to take care of most of your login functions. CloudTrail, the audit engine, gives you the time stamps. CloudWatch, the log aggregator, takes things form Lambda, VPC instances, and databases. Then you can utilize Kibana to visualize what is going on in your network or your VPCs.
Related Videos
Attributes of Log Data
Audit Trail Review with Kibana, Athena, and GuardDuty
Audit Your Security Groups for Insecure Ports and Protocols
Change-Detection Solutions in AWS
CloudTrail and CloudWatch Integration
Enabling AWS Config in All Regions
Enabling CloudTrail Log File Validation
Enabling CloudTrail in All Regions
Ensure ALBs Have WAF ACLs Attached
Ensure RDS Instances are Only Accessible by Internal IPs
Ensuring Role Assumption is Logged
Filters and Alarms in CloudWatch
GuardDuty Alerts for Control Failures
How to Edit Inbound Traffic Rules for Default Security Groups
Identify Unrestricted Access to Ports for Security Groups
Identify if EC2 Instances Are Directly Connected to the Internet
Logging Web ACL Data in Amazon Kinesis
Monitor Network Traffic with VPC Flow Logs
Protecting API Gateways with WAF Rules
Restrict Access to CloudTrail Logs in S3 Buckets
Restrict Security Group Access to All Ports
Retaining Your Audit Trail in AWS
Routing Outbound Traffic Through NAT Gateways
Securing Your Log Files
Using Amazon Time Sync Service
