5.4. Audit Logging
Audit logging creates a comprehensive record of all data access and system modifications, serving as the essential "surveillance system" for your AWS environment. By centralizing and analyzing these logs, you can satisfy compliance requirements, investigate security incidents, and maintain a high bar for data governance.
š” First Principle: Audit logging creates an immutable record of who accessed what data and when ā think of it as the surveillance camera system for your data pipeline. Without audit logs, compliance teams can't prove that sensitive data was accessed only by authorized personnel, incident responders can't determine the blast radius of a breach, and regulators can't verify that your organization follows its stated policies. What's the first thing an investigator asks after a data incident? "Show me the logs." If you don't have them, you have no answers.
Imagine a security camera system for your data lake ā CloudTrail is the camera, and the footage it captures answers "who accessed what, when, and from where." Consider a scenario where a table is deleted at 3 AM: without data events enabled, you have no footage of who did it.
The exam tests two logging dimensions: what to log (CloudTrail for API calls, CloudWatch Logs for application output) and how to analyze logs (Athena for SQL queries, CloudTrail Lake for centralized audit queries, OpenSearch for interactive search, and CloudWatch Logs Insights for quick investigation). Building a logging architecture means ensuring every access is captured and every log is queryable.
