Ensure governance, compliance, operational auditing, and risk auditing of AWS accounts by configuring AWS CloudTrail and AWS Config:
CloudTrail and Config store their logs in S3 buckets. CloudTrail also provides an option to forward logs to a CloudWatch Log Group, which can allow for better search capability and notification creation using CloudWatch metrics and alarms.
CloudWatch Metrics and Alarms can be defined to track and alert on critical CloudTrail events (if CloudTrail to CloudWatch forwarding is enabled).
In addition to tracking account activity and configuration changes, it is recommended to track cost and usage. AWS Budgets allows tracking both costs and usage with notification capability based on actual or predicted thresholds
AWS provides capabilities to log network activity for resources deployed in VPCs using the following options:
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior by analyzing CloudTrail, VPC Flow Log and DNS Log activity in an AWS Account.
AWS WAF helps protect internet-facing applications and API endpoints. AWS WAF integrates with CloudFront, Load Balancers, and API Gateway to inspect (and optionally drop) traffic deemed malicious. Use the AWS Managed Rules package to get started or one of the partner-managed rule packages (e.g. F5, Imperva, Fortinet, etc.)
AWS provides several services to help monitor configuration and ensure compliance with security standards and best-practices:
AWS also provides service-specific activity and access logs that can be turned on selectively for supported resources. It should be noted that there are additional charges associated with enabling logging for these services and depending on the usage, the costs might be high. Some of the common services:
Using the CloudWatch Log Agent, metrics and logs can be collected from EC2 instances and forwarded to CloudWatch. This includes operating system logs (Windows or Linux) as well as logs for applications running on EC2 instances.
In addition to logging services, AWS provides several options to review, analyze and visualize logs (or 3rd party tools such as Splunk or DataDog can be used):