3.4.3. Security Monitoring & Auditing

You can't protect what you can't see. Without continuous security monitoring, a compromised IAM credential could be used for weeks before anyone notices unusual API call patterns. Without audit logging, you can't prove to compliance auditors that your security controls were in place — or investigate what happened after a breach. Security monitoring is like a building's surveillance system: it doesn't prevent all incidents, but it detects them quickly and provides the evidence needed for investigation and response.

This section covers CloudTrail (API audit trail), AWS Config (configuration compliance), VPC Flow Logs (network traffic analysis), and security analytics services. How would you detect if someone was slowly exfiltrating data from an S3 bucket using legitimate credentials?