S3 Object-Level Logging – Logging and Monitoring – SCS-C02 Study Guide

S3 Object-Level Logging

S3 object-level logging integrates with AWS CloudTrail data events. AWS CloudTrail is a service that records and tracks all API requests that are made. These can be programmatic requests made using an SDK, using the AWS CLI, from within the AWS Management Console, or with another AWS service.

When S3 object-level logging is enabled, you must associate it with a CloudTrail trail. This trail will then record both write and read API activity (depending on configuration) for objects within the configured bucket. Although Amazon S3 is being discussed here, S3 object-level logging relies heavily on CloudTrail. CloudTrail events will be discussed later in this chapter as you dive deeper into AWS CloudTrail and the logging capabilities that it contains.

Now that you have examined the logging capabilities of S3 you can explore how to capture and monitor the traffic coming through your virtual network or Virtual Private Cloud (VPC) in the case of AWS.

VPC Flow Logs and Traffic Monitoring

You likely have several different public and private subnets within your AWS account allowing external connectivity. You may even have multiple VPCs connected via VPC peering connections or AWS Transit Gateway. Either way, you will have a lot of network traffic traversing your AWS infrastructure from numerous sources, internally and externally, across thousands of interfaces. Flow logs allow you to capture this IP traffic across the network interfaces attached to your resources, which could number in the tens of thousands in a corporate environment.

Flow logs can be configured for the following resources:

  • Your VPC
  • A subnet within your VPC
  • A network interface from your EC2 instances or interfaces created by Elastic Load Balancing (ELB), Amazon RDS, Amazon ElastiCache, Amazon Redshift, Amazon WorkSpaces, NAT gateways, and Transit Gateway

As flow logs can capture information at these levels, they are a tool to help troubleshoot network issues and identify security threats. The latter could be placed if network traffic is reaching or trying to reach a resource or subnet that it shouldn’t. This might be partly due to overly permissive security groups, lack of rules in network access control lists (NACLs), or other controls. Either way, it identifies weaknesses, allowing you to build a greater defense and remediate potential resource vulnerabilities.

Figure 7.2: VPC Flow Logs architecture

Flow log data can be published to an S3 bucket or Amazon CloudWatch Logs. Upon enabling the log stream, you will choose the destination where the flow logs will go.

When you create a flow log, you specify three main items:

  • The resource for which you want to create the item (for example, an endpoint or a NAT gateway)
  • The type of traffic you want to capture (rejected traffic, accepted traffic, or all traffic)
  • Where you want to publish the flow log data (which S3 bucket or CloudWatch log stream)

Now that you know the basics of VPC Flow Logs, you are ready to learn why it is beneficial to choose S3 versus CloudWatch Logs when deciding on log storage.