3.2.1.5. Security Configurations for Log Collection (IAM Roles/Permissions)

3.2.1.5. Securing Log Collection & Storage (IAM, Policies)

Logs are a security asset and a security risk. They contain evidence for investigations but may also contain sensitive data that must be protected.

IAM policies for log access:

• Least privilege by log group: Grant logs:GetLogEvents only on specific log groups, not logs:* on *
• Environment separation: Use resource-based patterns: arn:aws:logs:*:*:log-group:/prod/* for production access
• Write vs. read separation: Applications need PutLogEvents; analysts need GetLogEvents and FilterLogEvents

{
  "Effect": "Allow",
  "Action": ["logs:GetLogEvents", "logs:FilterLogEvents", "logs:StartQuery"],
  "Resource": "arn:aws:logs:us-east-1:123456789012:log-group:/prod/*:*"
}

Log immutability for compliance:

• S3 Object Lock (WORM) prevents log deletion for a retention period
• CloudWatch Logs retention policies auto-delete after configured days (1 day to indefinite)
• Cross-account log archival: ship logs to a security account where the application team has no delete permissions

Sensitive data protection:

• CloudWatch Logs data protection policies automatically detect and mask PII (credit cards, SSNs, email addresses) in log events
• Use logs:CreateLogDelivery and logs:PutDataProtectionPolicy to configure masking rules

Exam Trap: CloudWatch Logs data is stored indefinitely by default (retention = Never expire). This creates both cost and compliance issues. Always set explicit retention periods. For compliance, export logs to S3 with lifecycle policies — it's cheaper than CloudWatch Logs for long-term storage and supports S3 Object Lock for immutability.