3.4.3.4. Implementing Robust Security Auditing

3.4.3.4. Implementing Robust Security Auditing

Security auditing must be tamper-proof, comprehensive, and continuously analyzed — not just stored.

Tamper-proof audit trail:

1. CloudTrail delivers logs to S3 with log file integrity validation
2. S3 bucket: Object Lock (WORM), deny s3:DeleteObject, cross-account (auditors can't be compromised by the same attacker)
3. SCP: deny cloudtrail:StopLogging and cloudtrail:DeleteTrail across all accounts

Comprehensive coverage:

• Management events: all API calls (default)
• Data events: S3 object access, Lambda invocations, DynamoDB reads (enable explicitly — high volume)
• Insights events: unusual API call patterns

Continuous analysis pipeline:

CloudTrail → S3 → Athena (ad-hoc queries)
          → CloudWatch Logs → Metric Filters → Alarms
          → EventBridge → Lambda (real-time detection)
          → Security Hub → Findings dashboard

Key CloudTrail metric filters for security alerting:

# Root account usage
{ $.userIdentity.type = "Root" && $.eventType != "AwsServiceEvent" }

# Console login without MFA
{ $.eventName = "ConsoleLogin" && $.additionalEventData.MFAUsed = "No" }

# Authorization failures (potential scanning)
{ $.errorCode = "AccessDenied" || $.errorCode = "UnauthorizedAccess" }

Exam Trap: CloudTrail logging can be disabled by an administrator — which is exactly what an attacker would do after gaining admin access. Protect against this with an SCP that denies cloudtrail:StopLogging and cloudtrail:DeleteTrail for all accounts. Store logs in a separate security account where application account admins have no access.