Logging
AWS has numerous services that offer logging capabilities to capture vital information when analyzing the source of a threat and how to prevent it. When using your chosen services, you should enable logging. This is often overlooked, which can be a massive regret for organizations should the worst happen. With active logging, you will have a much higher chance of rectifying an incident quickly and efficiently or even preventing it from occurring by spotting patterns and trends.
Logging allows you to baseline your infrastructure of what’s normal and what can be considered abnormal operations. This helps identify and isolate anomalies quickly, especially when combined with third-party logging and analysis tools.
Again, having logs running continuously and automatically by the supported AWS services allows you to view the state of your environment before, during, and after an incident. This helps you gather intelligence and insight into where the incident occurred in your infrastructure and how to prevent it from happening again.
Some examples of services that offer logging in AWS include Amazon CloudWatch Logs, AWS CloudTrail logs, S3 access logs, VPC Flow Logs, AWS Config configuration recorder, CloudFront Logs, and Application Load Balancer logs. There are more logs available from AWS for other niche services; however, from this list alone, you can see that logging is an excellent method of helping you resolve a security incident as quickly as possible. These logs should be readily and easily available to the security and audit team in the event you are responding to an incident as part of your IR policy.
Note
Logging and monitoring will be covered in depth in Section 3 of the book because the ability to understand logging and monitoring, especially regarding the security of your AWS environment, is one of the pillars of the AWS Certified Security – Speciality certification.
Alerting
When an event in your AWS account has occurred, you want to ensure you are notified. Base services such as Amazon Simple Notification Service (SNS) can send messages to those who are subscribed to the topics used in IR. However, a method must be in place to trigger the sending of the messages.
Amazon EventBridge is a service that allows rule creation to trigger actions on other services, such as Lambda functions, AWS Step Functions, and SNS topics. Understanding what services would necessitate either a notification being sent out or another service being started is one of the skills that an AWS security engineer needs to have a firm grasp of.