Security Auditing and Logging
You cannot defend what you cannot see. Logging records every action that happens in your cloud environment — who did what, when, and from where. Auditing reviews those logs to verify that your security controls are working correctly. Together, logging and auditing give you visibility into your cloud and the evidence you need after an incident.
The Security Camera Analogy
Imagine a bank with no security cameras. A robbery happens and no one can identify the attacker, prove what was taken, or show how the robber entered. Now imagine the same bank with cameras at every door and counter. After the robbery, investigators review the footage, identify the attacker, trace every step, and recover the stolen items. Cloud logs are your security cameras. They run continuously and silently, recording everything.
What Should Be Logged
Effective cloud logging captures activity at multiple layers of the environment.
- Authentication events: Successful logins, failed login attempts, password resets, MFA changes.
- Administrative actions: Creating, modifying, or deleting cloud resources (virtual machines, storage buckets, security groups, IAM policies).
- Data access: Who read or downloaded sensitive files, which database queries ran, which API calls were made.
- Network traffic: VPC flow logs showing connection sources, destinations, and whether they were allowed or blocked.
- Application events: Errors, crashes, unusual user behavior within your applications.
Cloud-Native Logging Services
| Provider | Service | What It Logs |
|---|---|---|
| AWS | AWS CloudTrail | All API calls and console actions across your AWS account |
| AWS | Amazon CloudWatch Logs | Application logs, system metrics, custom log streams |
| Azure | Azure Monitor / Activity Log | Subscription-level operations, resource changes |
| Google Cloud | Cloud Audit Logs | Admin activity, data access, system events |
A Log Entry Explained
Sample CloudTrail Log Entry (simplified): -------------------------------------------------- Time: 2024-09-15 03:42:11 UTC User: james.wilson@company.com Action: DeleteObject Resource: s3://production-backups/db-backup-2024.sql Source IP: 45.33.22.10 (← not a company IP address) Result: Success -------------------------------------------------- What this tells us: - A user deleted a production backup at 3:42 AM - The action came from an unfamiliar IP address - This is highly suspicious and warrants investigation
Centralized Log Management
Logs from dozens of services quickly become unmanageable if stored separately. Centralized log management collects all logs into one place — a SIEM (Security Information and Event Management) system — where security teams can search, correlate, and analyze them efficiently.
Popular SIEM tools include Splunk, Microsoft Sentinel, AWS Security Lake, and Elastic SIEM. A SIEM can automatically correlate events — for example, flagging a situation where a user fails MFA ten times and then suddenly succeeds from a new country within minutes.
Centralized Logging Architecture:
--------------------------------------------------
[ CloudTrail ] ──┐
[ VPC Flow Logs ]──┤
[ App Logs ] ──┤──► [ Log Aggregator ] ──► [ SIEM ]
[ WAF Logs ] ──┤ |
[ DB Audit Logs]──┘ [ Alerts ]
[ Dashboards ]
[ Investigations ]
--------------------------------------------------
Log Integrity and Tamper Protection
Logs are only useful if they are trustworthy. An attacker who compromises a system may try to delete or alter logs to cover their tracks. Protect your logs by:
- Storing logs in a separate, write-protected storage bucket that the compromised system cannot modify.
- Enabling log file validation (AWS CloudTrail provides cryptographic hash validation for each log file).
- Restricting who has permission to delete logs — ideally no one, even admins, during the retention period.
- Sending logs to an immutable storage tier where data cannot be modified or deleted for a defined retention period.
Security Auditing
An audit reviews your cloud environment to verify that security controls are configured correctly and working as intended. Audits can be internal (your team reviews your own configurations) or external (an independent third party evaluates your environment).
Common audit activities include checking IAM policies for over-permissive roles, verifying encryption settings on databases and storage, reviewing firewall rules for unnecessary open ports, confirming MFA is enforced on all accounts, and testing that logging is enabled and covering all required services.
Log Retention Requirements
Different regulations require logs to be retained for specific periods. HIPAA requires audit logs for at least six years. PCI DSS requires one year of log retention with three months immediately available. Your organization's legal and compliance team should define retention policies for each log type.
Key Terms to Know
- SIEM: Security Information and Event Management — a platform that collects, correlates, and analyzes security logs from multiple sources.
- CloudTrail: AWS service that records every API call and console action in an AWS account.
- Log Retention: How long log data must be kept, often defined by regulation.
- Immutable Storage: Storage where data cannot be modified or deleted during a defined retention window.
- Audit: A systematic review of security controls, configurations, and logs to verify compliance and effectiveness.
What You Learned
Logging captures a continuous record of all actions in your cloud environment — authentication, administration, data access, and network traffic. Cloud-native services like AWS CloudTrail and Google Cloud Audit Logs collect this data automatically. Centralizing logs in a SIEM enables correlation and faster detection of suspicious patterns. Protecting log integrity ensures attackers cannot cover their tracks. Regular audits verify that controls remain correctly configured and compliant with regulations.
