Technical Requirements – Logging and Monitoring – SCS-C02 Study Guide

Technical Requirements

Access to the AWS Management Console with an active account and the AWS CLI are required. You also need to have access to a terminal console and a text editor.

S3 Access Logs

Whenever you or your users store or access different objects in Amazon S3, you, as the security professional, may need to know who is accessing the different files, when and where they are accessed, and from what location.

You can capture all the access logs and records of who accessed the various objects in a particular bucket via a simple setting in S3. One caveat is that the access logs for an S3 bucket cannot be stored in the same bucket as the items they are tracking. This means that you need to create a new bucket for storing those logs. You can use a single bucket to track multiple S3 buckets’ access logs. Changing the access policy so that no users besides the security and audit teams or the service role that retrieves the logs may access this bucket is considered best practice.

The access logs are usually pushed to the secondary storage bucket on a best-effort basis, and this can result in a delay of a few hours before delivering the logs to the specified bucket. Sometimes logs are delivered faster, but don’t expect to find your S3 access logs in real time.

Turning on Access Logs

Perform the following steps to turn on the access logs for one of your S3 buckets:

  1. Open your terminal so that you can execute the commands using the AWS CLI.
  2. First, create an S3 bucket to put objects and then access the objects. Now the name of the bucket will need to be unique to you, so replace packt-test-object with something that is unique to your account:

aws s3 mb s3://packt-test-object

  • Next, create a bucket where the logs can go:

aws s3 mb s3://packt-security-logs

  • Now create a JSON file describing your logging preferences. Open up a text editor and create the following file, but be sure to substitute the value of YOURBUCKET with what you have named your bucket in step 2. Open your text editor and create a file named s3_access.json with the following contents:

{

“LoggingEnabled”: {

“TargetBucket”: “packt-security-logs”,

“TargetPrefix”: “S3Logs/”

}

}

  • With your two buckets created, you can now enable access logging using the put-bucket-logging command, as shown:

aws s3api put-bucket-logging \

–bucket packt-test-object \

–bucket-logging-status file://s3_access.json

You should now have access logging enabled on the S3 bucket that you created on the object-test bucket for this exercise, with the logs going to the second logs bucket. Next, you will go through the practice of generating log files and viewing their contents.

Creating Some Log Files

Now that you have logging turned on, you need to perform some actions to generate a few logs. After completing the necessary steps, you will view the logs. You should already have your terminal open so that you can continue the command line with the AWS CLI. Further, rather than creating a whole new file to test with, use the JSON file created in the previous exercise:

  1. First, place the JSON file you created into the bucket; remember to substitute YOURBUCKET with your bucket name:

aws s3 cp s3_access.json s3://YOURBUCKET/

  • Next, remove that same object:

aws s3 rm s3://YOURBUCKET/s3_access.json

  • Now, upload the file again using the s3-sync method (be careful if you have created the file in a directory that has many other files and large files in it as the s3-sync command will copy all files from that directory to your S3 bucket):

aws s3 sync .

s3://YOURBUCKET/

  • Finally, download the file with a different name to your local hard drive:

aws s3 cp s3://YOURBUCKET/s3_access.json new.json

After running through that array of test commands, you can dissect the logs to see what information they provide.