SEC04-BP01: Configure service and application logging

Configure logging throughout your workload, including application logs, resource logs, and AWS service logs. For example, ensure that AWS CloudTrail, VPC Flow Logs, and DNS logs are enabled and centralized.

Implementation guidance

Comprehensive logging is essential for detecting security events, investigating incidents, and maintaining compliance. By configuring logging across all layers of your workload, you create a detailed audit trail that enables effective security monitoring and incident response.

Key steps for implementing this best practice:

1. Enable AWS service logging:
   • Configure AWS CloudTrail for API activity logging
   • Enable VPC Flow Logs for network traffic monitoring
   • Set up DNS query logging with Route 53 Resolver
   • Enable AWS Config for resource configuration tracking
   • Configure load balancer access logs
   • Enable database audit logs (RDS, DynamoDB)
2. Configure application logging:
   • Implement structured logging in your applications
   • Log security-relevant events (authentication, authorization, data access)
   • Include contextual information (user ID, session ID, IP address)
   • Use consistent log formats across applications
   • Implement log correlation identifiers
3. Centralize log collection:
   • Use Amazon CloudWatch Logs for centralized log storage
   • Configure log agents on EC2 instances and containers
   • Set up log streaming from Lambda functions
   • Implement log forwarding from on-premises systems
   • Use AWS Systems Manager for hybrid log collection
4. Implement log retention and lifecycle management:
   • Define retention policies based on compliance requirements
   • Configure automatic log archival to cost-effective storage
   • Implement log compression and optimization
   • Set up automated log deletion for expired data
   • Consider long-term archival requirements
5. Secure log data:
   • Encrypt logs in transit and at rest
   • Implement access controls for log data
   • Use separate accounts or roles for log management
   • Protect log integrity with checksums or digital signatures
   • Monitor for unauthorized log access or modification
6. Optimize logging for analysis:
   • Use structured logging formats (JSON, XML)
   • Implement consistent timestamp formats
   • Include relevant metadata and context
   • Configure log parsing and normalization
   • Set up log indexing for efficient searching

Implementation examples

Example 1: Comprehensive CloudTrail configuration

Code snippet hidden for website display

Code snippet hidden for website display

Example 2: VPC Flow Logs configuration

Code snippet hidden for website display

Example 3: Application logging with structured format

Code snippet hidden for website display

Example 4: CloudWatch Logs configuration with Lambda

Code snippet hidden for website display

AWS services to consider

AWS CloudTrail

Records API calls for your account and delivers log files to you. Essential for auditing AWS service usage and detecting unauthorized activities.

Amazon CloudWatch Logs

Monitors, stores, and provides access to your log files from Amazon EC2 instances, AWS CloudTrail, and other sources. Centralized logging solution for AWS workloads.

Amazon VPC Flow Logs

Captures information about the IP traffic going to and from network interfaces in your VPC. Essential for network security monitoring and troubleshooting.

AWS Config

Enables you to assess, audit, and evaluate the configurations of your AWS resources. Provides configuration history and change notifications.

Amazon Route 53 Resolver

Provides DNS resolution for your VPC and on-premises networks. DNS query logging helps detect malicious domain lookups and data exfiltration attempts.

AWS Systems Manager

Gives you visibility and control of your infrastructure on AWS. Use Systems Manager Agent to collect logs from EC2 instances and hybrid environments.

Benefits of configuring service and application logging

• Enhanced security visibility: Provides comprehensive view of activities across your workload
• Improved incident response: Enables faster detection and investigation of security events
• Compliance support: Meets regulatory requirements for audit trails and logging
• Operational insights: Helps identify performance issues and optimization opportunities
• Forensic capabilities: Provides detailed evidence for security investigations
• Proactive monitoring: Enables early detection of security threats and anomalies
• Accountability: Creates audit trails for user and system activities

Related resources

Related Resources

• AWS Well-Architected Framework - Configure service and application logging
• AWS CloudTrail User Guide
• VPC Flow Logs User Guide
• Amazon CloudWatch Logs User Guide
• How to monitor and visualize failed SSH access attempts to Amazon EC2 Linux instances
• How to centralize findings from AWS security services using AWS Security Hub custom insights