Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
3.4.3.6. Configuring Service & Application Logging (CloudTrail, CloudWatch Logs)
3.4.3.6. Configuring Service & Application Logging (CloudTrail, CloudWatch, VPC Flow Logs)
Comprehensive logging means no blind spots — every network flow, API call, and application event is captured and searchable.
Essential log sources for security:
| Log Source | What It Captures | Destination | Enable By |
|---|---|---|---|
| CloudTrail | All AWS API calls | S3 + CloudWatch Logs | Create trail |
| VPC Flow Logs | Network traffic metadata (source, dest, port, action) | S3 or CloudWatch Logs | Per-VPC/subnet/ENI |
| ALB Access Logs | HTTP request details (client IP, path, response code) | S3 | Per-ALB setting |
| CloudFront Logs | Edge request details | S3 | Per-distribution |
| Route 53 Query Logs | DNS queries | CloudWatch Logs | Per-hosted zone |
| S3 Access Logs | Bucket access details | Another S3 bucket | Per-bucket |
VPC Flow Log format:
# version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status
2 123456789012 eni-abc123 10.0.0.1 10.0.1.5 49152 443 6 10 840 1620000000 1620000060 ACCEPT OK
2 123456789012 eni-abc123 203.0.113.5 10.0.0.1 12345 22 6 3 180 1620000000 1620000060 REJECT OK
Custom flow log format includes additional fields (vpc-id, subnet-id, tcp-flags, pkt-dstaddr for NLB) — useful for security investigation.
Exam Trap: VPC Flow Logs do NOT capture DNS requests (use Route 53 query logs), DHCP traffic, traffic to the instance metadata service (169.254.169.254), or traffic to AWS time sync (169.254.169.123). If the exam asks about monitoring DNS-based data exfiltration, Flow Logs alone are insufficient — you need Route 53 query logs or GuardDuty's DNS threat detection.
Written byAlvin Varughese•Founder•15 professional certifications