Multiple AWS services do infrastructure logging, and you should be familiar with them: AWS CloudTrail, AWS Config, VPC Flow Logs, and Amazon GuardDuty. Raf recommended that the customer configure CloudTrail to concentrate data in the AWS Organizations management account, thus following best practices for account governance.
AWS CloudTrail
CloudTrail monitors and records account activity across your AWS infrastructure, which gives you control over actions for storage, analysis, and remediation. Events include actions that are performed in the AWS Management Console, the AWS Command Line Interface (AWS CLI), and the AWS SDKs and APIs. The actions recorded by CloudTrail don’t include API calls that are made to a backend application that’s hosted on Amazon Elastic Compute Cloud (Amazon EC2). They also don’t include internal API calls that are made within an application, and don’t involve AWS API calls. CloudTrail captures AWS API call events and logs them.
CloudTrail typically delivers logs within an average of about 15 minutes after an API call. (This time is not guaranteed.)
By using CloudTrail, a user in an Organizations management account can create an organization trail that logs all events for all AWS ahahaccounts in that organization. Organization trails are automatically applied to all member accounts in the organization. Member accounts can see the organization trail, but they can’t modify or delete the organization trail. By default, member accounts don’t have access to the log files for the organization trail in the Amazon Simple Storage Service (Amazon S3) bucket. This feature helps you uniformly apply and enforce your event-logging strategy across the accounts in your organization.
For more information about CloudTrail, see How CloudTrail works.
AWS Config
It’s important to know the difference between AWS CloudTrail and AWS Config.
When you run your applications on AWS, you usually use AWS resources, which you must create and manage collectively. As the demand for your application grows, our need to keep track of your AWS resources also grows. AWS Config is designed to help you manage your application resources.
AWS Config provides a detailed view of how AWS resources are configured in your AWS account. This configuration includes how resources are related to one another, and how they were configured in the past — which means that you can see how the configurations and relationships change over time. You can use AWS Config to get an inventory of the resources that you have in your AWS account, and then you can apply rules for how those resources are configured.
An AWS resource is an entity that you can work with in AWS, such as an EC2 instance, an Amazon Elastic Block Store (EBS) volume, a security group, or a virtual private cloud (VPC).
Resource administration
To exercise better governance over your resource configurations — and to detect resource misconfigurations — you need fine-grained visibility into what resources exist, and how these resources are configured at any time. You can use AWS Config to notify you when resources are created, modified, or deleted without needing to monitor these changes by polling the calls made to each resource.
You can use AWS Config rules to evaluate the configuration settings of your AWS resources. When AWS Config detects that a resource violates the conditions in one of your rules, AWS Config flags the resource as noncompliant and sends a notification. AWS Config is designed to continuously evaluate your resources as they are created, changed, or deleted.
Auditing and compliance
You might work with data that requires frequent audits to ensure compliance with internal policies and best practices. To demonstrate compliance, you need access to the historical configurations of your resources. AWS Config can provide this information.
Managing and troubleshooting configuration changes
When you use multiple AWS resources that depend on one another, a change in the configuration of one resource might have unintended consequences on related resources. With AWS Config, you can view how the resource that you want to modify is related to other resources, and thus assess the potential impact of your change.
You can also use the historical configurations of your resources that are provided by AWS Config to troubleshoot issues and to access the last-known good configuration of a problem resource.
Security analysis
To analyze potential security weaknesses, you need detailed historical information about your AWS resource configurations. Examples include the AWS Identity and Access Management (IAM) permissions that are granted to your users, or the Amazon EC2 security group rules that control access to your resources.
You can use AWS Config to view the IAM policy that was assigned to an IAM user, group, or role at any time when AWS Config was recording. This information can help you determine the permissions that belonged to a user at a specific time: for example, you can view whether the user John Doe had the permissions to modify Amazon Virtual Private Cloud (Amazon VPC) settings on Jan 1, 2015.
You can also use AWS Config to view the configuration of your Amazon security groups, including the port rules that were open at a specific time. This information can help you determine whether a security group blocked incoming TCP traffic to a specific port.
For more information, see What is AWS Config?
VPC Flow Logs
VPC Flow Logs is a feature that you can use to capture information about the IP traffic that goes to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs or Amazon S3. After you create a flow log, you can retrieve and view its data in the chosen destination.Flow logs can help you with various tasks, such as the following:
- Diagnosing overly restrictive security group rules
- Monitoring the traffic that reaches your instance
- Determining the direction of the traffic to and from the network interfaces
Flow log data is collected outside the path of your network traffic. Therefore, it doesn’t affect network throughput or latency. You can create or delete flow logs with a minimal risk of impact to network performance.
For more information, see Logging IP traffic using VPC Flow Logs.
Amazon GuardDuty
Amazon GuardDuty is a near-continuous security monitoring service that analyzes and processes data sources, such as CloudTrail data events for Amazon S3 logs, CloudTrail management event logs, DNS logs, Amazon EBS volume data, Amazon Elastic Kubernetes Service (Amazon EKS) audit logs, and Amazon VPC flow logs.
It uses threat intelligence feeds (such as lists of malicious IP addresses and domains) and machine learning to identify unexpected, potentially unauthorized, and malicious activity within your AWS environment. This activity can include issues such as the escalation of privileges, use of exposed credentials, communication with malicious IP addresses or domains, or the presence of malware on your EC2 instances and container workloads.
For example, GuardDuty can detect compromised EC2 instances and container workloads that are serving malware or mining bitcoin. It also monitors AWS account access behavior for signs of compromise, such as unauthorized infrastructure deployments — for example, instances that are deployed in a Region that has never been used, or unusual API calls (such as a password policy change to reduce password strength).
For more information, see What is Amazon GuardDuty?
