Securing Your Log Files
Using CloudTrail, CloudWatch, and S3 for Logging
PCI Requirement 10.5 requires that you secure audit trails so they cannot be altered. In AWS, this means using IAM policies to restrict access to the places where audit trails are stored, like CloudTrail, CloudWatch, and S3. You should also utilize features like versioning, lifecycle policies, deny-delete, and log file integrity validation to protect log data. By limiting access to audit trails, protecting audit trails, backing up audit trails, and making audit trails available for analysis, you are meeting PCI Requirement 10.5.
In any PCI DSS assessment, log management and log analysis are key factors. We have to secure logs to keep them out of the hands of bad actors - people that would modify them for their own gain. We need to limit access, protect them, back them up, and have them available for analysis for one year. How do we do that in an AWS environment? Well, we enable CloudTrail, put them in CloudWatch, and move them to S3. That is the path that gets them secure. PCI Requirement 10.5 goes one step further and ties in IAM. To make all of this happen in AWS, you can utilize S3, CloudWatch, and CloudTrail and apply policies to them from the AWS Console’s IAM service. Discreet policies related to the locations and who can access the CloudTrail files will get you compliant with PCI Requirement 10.5.