Security Logging & Auditing (CloudTrail, Config, VPC Flow Logs)
Difficulty: hard
Overview
Comprehensive logging is essential for security monitoring, compliance, and incident investigation.
AWS CloudTrail:
- Records AWS API calls (who, what, when, from where)
- Management events: Control plane operations (CreateBucket, RunInstances, AttachRolePolicy) — enabled by default
- Data events: Object-level S3 operations (GetObject, PutObject), Lambda invocations, DynamoDB item-level — disabled by default, additional cost
- Insights events: Detects unusual API call rates or error rates (statistical anomaly detection)
- CloudTrail Lake: Managed data lake for CloudTrail events; SQL-based queries; 7-year retention; immutable
CloudTrail Security Best Practices:
- Enable in ALL regions (multi-region trail) and all accounts
- Enable log file integrity validation (SHA-256 hash + RSA signature) — detects tampering
- Deliver to a centralized S3 bucket in a security/log-archive account
- Enable SSE-KMS encryption on the S3 bucket
- Set S3 Object Lock to prevent deletion
- Use an SCP to prevent member accounts from disabling CloudTrail
AWS Config:
- Continuous inventory and configuration tracking of AWS resources
- Managed rules: Pre-built evaluations (e.g.,
encrypted-volumes,s3-bucket-public-read-prohibited,iam-password-policy) - Custom rules: Lambda-based rules for custom compliance checks
- Conformance Packs: Collections of rules for compliance frameworks (PCI-DSS, CIS, HIPAA)
- Aggregator: Multi-account/multi-region view (requires AWS Organizations or individual authorization)
- Remediation: Manual or automatic using SSM Automation runbooks
Config Rule Trigger Types:
| Type | When evaluated |
|---|---|
| Configuration change | When resource config changes |
| Periodic | Every 1, 3, 6, 12, or 24 hours |
VPC Flow Logs:
- Log accepted/rejected traffic at VPC, subnet, or ENI level
- Does NOT log: DNS traffic to Route53, instance metadata requests, DHCP, Windows license traffic
- Query with CloudWatch Logs Insights or Athena (S3 delivery)
- Critical for: detecting port scans, unexpected connections, data exfiltration
CloudWatch Logs for Security:
- Metric filters: extract and count security events (e.g., count of failed SSH logins)
- Subscriptions: real-time streaming to Lambda for automated response
- Logs Insights: ad-hoc query for security investigations
Practice Linked Questions
Q1. CloudTrail is enabled with management events only. A Lambda function is invoked 50,000 times per day. Will these Lambda invocations appear in CloudTrail logs?
Select one answer before revealing.
Q2. A company wants to ensure CloudTrail log files have not been tampered with or deleted after delivery to S3. Which CloudTrail feature provides cryptographic verification of log integrity?
Select one answer before revealing.
Q3. A security team receives a tip that a specific IP address (1.2.3.4) has been communicating with EC2 instances in their VPC over the past 7 days. Which service and query approach is MOST appropriate to investigate this?
Select one answer before revealing.
Q4. A company wants to receive an immediate alert when anyone disables CloudTrail logging in any of their AWS accounts. What is the MOST efficient near-real-time detection approach?
Select one answer before revealing.
Q5. An AWS Config rule evaluates an S3 bucket and marks it NON_COMPLIANT because public access is enabled. The team enables S3 Block Public Access to remediate. When will the Config rule status update to COMPLIANT?
Select one answer before revealing.
Q6. A compliance team needs a centralized view showing whether ALL EC2 instances across 20 member accounts have encrypted EBS volumes. Which is the BEST architecture?
Select one answer before revealing.
Q7. AWS Config detects that an S3 bucket has public access enabled (NON_COMPLIANT). The company wants this automatically remediated. What is the CORRECT remediation approach?
Select one answer before revealing.
Q8. Which of the following are valid options for storing and securing CloudTrail log files? (More than one answer may be correct — Select TWO.)
Select one answer before revealing.
Q9. An organization uses CloudTrail for logging. They want to ensure that no IAM changes (CreateUser, AttachRolePolicy, etc.) go undetected across 15 accounts. Which combination of services provides near-real-time alerting with least setup overhead?
Select one answer before revealing.
Q10. What must the security team check FIRST when CloudTrail log file validation indicates that a log file has been modified or deleted?
Select one answer before revealing.
Q11. A company needs to implement a CloudTrail configuration that protects logs from deletion or modification, even if the security account is compromised. Which COMBINATION of S3 features provides the STRONGEST protection?
Select one answer before revealing.
Q12. Which component of AWS CloudTrail specifically detects unusual API activity patterns, such as a sudden spike in DescribeInstances calls across many regions?
Select one answer before revealing.
Q13. A company must implement a security control that automatically remediates ANY EC2 instance found to have a security group rule allowing 0.0.0.0/0 access on SSH port 22. The control must work across 15 AWS accounts. Which architecture implements this with the LEAST operational overhead?
Select one answer before revealing.
Q14. An AWS Config aggregator shows that 8 out of 50 EC2 instances across multiple accounts are NON_COMPLIANT with the "encrypted-volumes" rule. A security engineer uses AWS Systems Manager to patch all 50 instances. Will this resolve the encryption compliance issue?
Select one answer before revealing.
Q15. A security engineer must ensure that all new S3 buckets created in an AWS account are automatically encrypted with a specific Customer Managed KMS Key by default. What is the CORRECT configuration?
Select one answer before revealing.