Cloud Incident Response Blog | Cado Security

Key Log Sources in the 3 Main Cloud Providers

Written by Calum Hall | Aug 9, 2024 11:00:00 AM

As organizations increasingly adopt cloud technologies across multiple cloud environments, understanding key log sources within each of the major cloud environments becomes crucial knowledge for effective incident response and security management. This blog will look at some of the most useful log sources for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).

 

Amazon Web Services (AWS)

AWS CloudTrail Event History Logs

  1. CloudTrail Logs:

CloudTrail is essential for monitoring AWS account activity. It captures all API calls and actions across AWS services, providing a comprehensive record of activities for auditing and forensic investigations.

  1. CloudWatch Logs:

CloudWatch logs collect and monitor log data from AWS resources, applications, and services. It is crucial for real-time application monitoring, troubleshooting, and ensuring operational health.

  1. VPC Flow Logs:

These logs capture information about the IP traffic going to and from network interfaces in a Virtual Private Cloud (VPC). They are essential for network monitoring and troubleshooting security issues.

  1. S3 Access Logs:

Amazon S3 can be configured to create access log records for the requests made against it. These logs are vital for monitoring data access and detecting potential unauthorized access or data breaches.

  1. IAM Access Analyzer:

IAM Access Analyzer helps monitor access permissions granted to AWS resources. It generates detailed logs on who accessed what, enhancing visibility into potential security risks associated with access permissions.

  1. Lambda Logs:

Lambda functions generate logs that are automatically collected by CloudWatch Logs. These logs help in monitoring the performance and troubleshooting issues related to serverless applications.

 

 

Microsoft Azure

Azure Logs as Seen in Azure Monitor

  1. Azure Activity Logs:

These logs provide data on all subscription-level events in Azure. They are crucial for understanding operations such as resource creation, modification, and deletion.

  1. Azure Diagnostic Logs:

Diagnostic logs collect data from Azure resources such as virtual machines, web apps, and SQL databases. These logs are vital for monitoring resource health and performance.

  1. Azure Active Directory (AAD) Logs:

AAD logs capture user sign-ins and application usage patterns, providing insights into authentication events and potential unauthorized access attempts.

  1. Network Security Group (NSG) Flow Logs:

NSG flow logs provide information about ingress and egress IP traffic through an NSG. These logs are essential for analyzing network traffic and identifying potential threats.

  1. Azure Security Center Alerts:

Security Center alerts offer a unified view of security alerts and recommendations. They help in identifying and responding to potential threats across Azure resources.

  1. Application Gateway Logs:

These logs capture request and response details processed by the Azure Application Gateway. They are crucial for monitoring application traffic and identifying suspicious activities.

 

 

Google Cloud Platform (GCP)

GCP Log Explorer

  1. Cloud Audit Logs:

Cloud Audit Logs include Admin Activity logs, Data Access logs, and System Event logs. These logs are essential for tracking administrative actions, data access, and system events within GCP.

  1. VPC Flow Logs:

Similar to AWS and Azure, GCP's VPC Flow Logs capture information about the network traffic to and from VM instances. These logs are crucial for network monitoring and security analysis.

  1. Cloud Logging:

Cloud Logging is a centralized log management service that aggregates log data from various GCP services. It provides real-time log analysis and monitoring capabilities.

  1. Access Transparency Logs:

These logs provide visibility into actions taken by Google personnel while accessing your data. They are essential for ensuring compliance and tracking any internal access to sensitive information.

  1. GKE Logs:

Google Kubernetes Engine (GKE) logs include cluster-level and node-level logs. They are vital for monitoring and troubleshooting containerized applications running on GKE.

  1. Cloud Storage Logs:

Cloud Storage access logs record operations on buckets and objects, providing insights into data access and modifications.

 

Understanding and accessing the key log sources in AWS, Azure, and GCP is crucial for effective incident response in cloud environments. By utilizing these logs, security teams can gain deeper visibility into their cloud infrastructure, detect potential threats early, and respond efficiently to security incidents.

 

For more detailed guidance on incident response and leveraging these log sources, take a look at Cado’s playbooks for AWS, Azure, and GCP:

 

 

By integrating these log sources into your security operations, you can significantly enhance your organization's ability to protect against and respond to security incidents in the cloud.