3.4.3.1. Security Auditing Services & Features (CloudTrail, AWS Config, VPC Flow Logs, CloudFormation drift detection)

3.4.3.1. Security Auditing Services & Features (CloudTrail, AWS Config, IAM Access Analyzer)

Security auditing answers three questions: Who did what? Is our configuration correct? Are our permissions too broad?

CloudTrail (who did what):

• Records every API call with: principal, action, resource, timestamp, source IP
• Organization trail captures all accounts
• Log file integrity validation detects tampering

AWS Config (is our configuration correct):

• Tracks resource configuration over time
• Evaluates compliance against rules
• Configuration timeline shows every change to a resource

IAM Access Analyzer (are our permissions too broad):

• External access analysis: Finds resources shared with external accounts or public access (S3 buckets, IAM roles, KMS keys, Lambda functions, SQS queues)
• Unused access analysis: Identifies IAM roles and permissions not used in 90+ days
• Policy validation: Checks IAM policies for syntax errors and security issues
• Policy generation: Creates least-privilege policies from CloudTrail activity

# Check for external access findings
aws accessanalyzer list-findings \
  --analyzer-arn "arn:aws:access-analyzer:us-east-1:123456789012:analyzer/org-analyzer" \
  --filter '{"status": {"eq": ["ACTIVE"]}, "resourceType": {"eq": ["AWS::S3::Bucket"]}}'

Exam Trap: IAM Access Analyzer's external access analysis only identifies resources accessible from outside the zone of trust (your account or organization). It doesn't flag overly permissive access within the account. For internal over-permissioning, use the unused access analyzer or policy generation features.