As organizations increasingly adopt cloud technologies across multiple cloud environments, understanding key log sources within each of the major cloud environments becomes crucial knowledge for effective incident response and security management. This blog will look at some of the most useful log sources for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
AWS CloudTrail Event History Logs
CloudTrail is essential for monitoring AWS account activity. It captures all API calls and actions across AWS services, providing a comprehensive record of activities for auditing and forensic investigations.
CloudWatch logs collect and monitor log data from AWS resources, applications, and services. It is crucial for real-time application monitoring, troubleshooting, and ensuring operational health.
These logs capture information about the IP traffic going to and from network interfaces in a Virtual Private Cloud (VPC). They are essential for network monitoring and troubleshooting security issues.
Amazon S3 can be configured to create access log records for the requests made against it. These logs are vital for monitoring data access and detecting potential unauthorized access or data breaches.
IAM Access Analyzer helps monitor access permissions granted to AWS resources. It generates detailed logs on who accessed what, enhancing visibility into potential security risks associated with access permissions.
Lambda functions generate logs that are automatically collected by CloudWatch Logs. These logs help in monitoring the performance and troubleshooting issues related to serverless applications.
Azure Logs as Seen in Azure Monitor
These logs provide data on all subscription-level events in Azure. They are crucial for understanding operations such as resource creation, modification, and deletion.
Diagnostic logs collect data from Azure resources such as virtual machines, web apps, and SQL databases. These logs are vital for monitoring resource health and performance.
AAD logs capture user sign-ins and application usage patterns, providing insights into authentication events and potential unauthorized access attempts.
NSG flow logs provide information about ingress and egress IP traffic through an NSG. These logs are essential for analyzing network traffic and identifying potential threats.
Security Center alerts offer a unified view of security alerts and recommendations. They help in identifying and responding to potential threats across Azure resources.
These logs capture request and response details processed by the Azure Application Gateway. They are crucial for monitoring application traffic and identifying suspicious activities.
GCP Log Explorer
Cloud Audit Logs include Admin Activity logs, Data Access logs, and System Event logs. These logs are essential for tracking administrative actions, data access, and system events within GCP.
Similar to AWS and Azure, GCP's VPC Flow Logs capture information about the network traffic to and from VM instances. These logs are crucial for network monitoring and security analysis.
Cloud Logging is a centralized log management service that aggregates log data from various GCP services. It provides real-time log analysis and monitoring capabilities.
These logs provide visibility into actions taken by Google personnel while accessing your data. They are essential for ensuring compliance and tracking any internal access to sensitive information.
Google Kubernetes Engine (GKE) logs include cluster-level and node-level logs. They are vital for monitoring and troubleshooting containerized applications running on GKE.
Cloud Storage access logs record operations on buckets and objects, providing insights into data access and modifications.
Understanding and accessing the key log sources in AWS, Azure, and GCP is crucial for effective incident response in cloud environments. By utilizing these logs, security teams can gain deeper visibility into their cloud infrastructure, detect potential threats early, and respond efficiently to security incidents.
For more detailed guidance on incident response and leveraging these log sources, take a look at Cado’s playbooks for AWS, Azure, and GCP:
By integrating these log sources into your security operations, you can significantly enhance your organization's ability to protect against and respond to security incidents in the cloud.