INF-03: Logging & Monitoring
Objective
Enable security incident detection and investigation through comprehensive logging.
Description
Security events and system activities are logged centrally. Logs are monitored for anomalies and security incidents. Logs are retained and protected from tampering.
Implementation Details
Centralized Logging: All AWS CloudTrail, VPC Flow Logs, application logs sent to CloudWatch Logs. Immutable storage in S3.
Security Monitoring: AWS GuardDuty for threat detection. CloudWatch alarms for critical events (root account usage, unauthorized API calls).
Alerting: PagerDuty integration for security alerts. P0/P1 alerts page on-call engineer 24/7.
Log Retention: Security logs retained 7 years. Application logs 90 days. Logs encrypted and access-controlled.
Examples
- CloudTrail logs every AWS API call across all regions to immutable S3 bucket
- Failed authentication attempts trigger alert after 5 failures in 5 minutes
- GuardDuty detected and alerted on compromised EC2 instance (bitcoin mining)
- Security team can search all logs in CloudWatch Insights for investigation
Audit Evidence
- CloudTrail configuration showing all regions enabled
- CloudWatch alarm definitions
- PagerDuty integration and alert history
- Log retention policy and S3 lifecycle configuration
Framework Mapping
SOC 2
- CC7.2 ^[Centralized logging and monitoring detect anomalies indicative of malicious acts, natural disasters, or errors]
- CC7.3 ^[Log analysis and alerting enable evaluation of security events and timely response]
GDPR
- Article 32 ^[Logging and monitoring enable detection of, and ability to respond to, security incidents affecting personal data]
Referenced By
This section is automatically generated by make generate-backlinks. Do not edit manually.
Standards:
Processes: