A number of log sources are available in AWS, that can be useful for incident response purposes:

Name Conditions Description
CloudTrail Enabled by default. Logs every operation conducted in the AWS account through Amazon Management Console actions and API calls. Essentially logs all management operations API calls made in the account.

For each action / operation, the following information are logged:
- Unique Event ID.
- Event name (such as ListPolicies, AssumeRole, etc.).
- The timestamp of the operation.
- The region the operation was conducted in.
- Information on who realized the action (IAM identity, source IP address, user agent).
- The eventual impacted resource.
- The eventual request parameters.
- …
CloudWatch Some AWS products automatically push metrics to Amazon CloudWatch (for free), while other services may require additional configuration to push metrics. Logs system performance metrics such as CPU usage, filesystem or network inputs/outputs, etc.

An additional CloudWatch agent can be installed on EC2 hosts to forward OS-level logs to CloudWatch.

CloudTrail logs can be forwarded to CloudWatch, for instance to configure automated alerting.
AWS Config AWS Config is not enabled by default. Records the configuration state of a number of resources (EC2, VPC, security groups, etc.) in the AWS account.

There are two frequencies at which AWS Config can deliver configuration items: periodic and continuous. Periodic recording delivers configuration data once every 24 hours, only if a change has occurred. Continuous recording delivers configuration items whenever a change occurs.

If enabled, AWS Config can be used to detect change in configuration and retrieve historical data on configuration changes (who and when was a given resource created / modified).
S3 Access Logs S3 Access Logs are not enabled by default and must be enabled on a per bucket basis. Logs bucket-level activities, i.e. access, upload, modification, and deletion of data stored in a S3 bucket (versus operation on the bucket object itself as logged by CloudTrail).
CloudWatch VPC Flow Logs are not enabled by default and must be enabled either at the VPC, subnet, or Elastic Network Interfaces (ENI) level. Logs IP network traffic to CloudWatch or an S3 bucket.

Different version of VPC Flow Logs, 2 to 5 to date, can be enabled. Higher versions record an increased number of fields per record. The version 2, chosen by default, records the following fields (in order):
- version number.
- account id (AWS account ID of the owner of the source network interface for which traffic is recorded).
- interface id (ID of the network interface for which the traffic is recorded).
- source address.
- destination address.
- source port.
- destination port.
- network protocol.
- number of packets transferred during the “flow” log.
- number of bytes transferred during the “flow” log.
- start of the “flow” log.
- end of the flow log.
- whether the traffic was accepted (ACCEPT) or rejected (REJECT).
- status of the flow log.

Data is aggregated over one or ten minutes intervals, depending on the flow log definition.

For more information on VPC Flow Logs, refer to the official AWS documentation.
WAF Logs WAF Logs require the use of the AWS WAF service. Logs requests processed by the AWS WAF service. WAF Logs can notably be forwarded to CloudWatch or stored in a S3 bucket.

Information about the request (source IP, eventual requests headers, eventual parameters, etc.) as well as the rule matched are logged.


Tags: aws

View on GitHub