2.2.2. Configuring Logging for AWS Services

First Principle: Default logging configurations are insufficient for security operations. Most AWS services require explicit configuration to capture security-relevant events, and organizational deployment ensures no account or Region is missed.

CloudTrail Configuration (Critical):

• Organization trail: Create one trail in the management account that automatically captures API events from ALL accounts in the organization
• Management events: Logged by default — capture control plane operations (CreateBucket, RunInstances)
• Data events: NOT logged by default — capture data plane operations (GetObject, InvokeFunction). Must be explicitly enabled per-service.
• Insights events: ML-based detection of unusual API activity patterns

CloudWatch Agent Configuration:

• Install the unified CloudWatch agent on EC2 instances to collect OS-level logs and custom application logs
• Use SSM Agent for push-based deployment across fleets
• Configure log groups with appropriate retention periods and encryption (KMS)
• A dedicated logging account is a best practice — receives logs from all accounts, restricts access to the security team

Service-Specific Logging:

⚠️ Exam Trap: CloudTrail data events have per-event costs. Don't enable them for every S3 bucket — target buckets containing sensitive data. The exam may test cost-optimization for logging architectures.

Scenario: A security architect needs to ensure all API activity across 200 accounts is captured, including S3 object-level operations on buckets containing PII. They configure an organization trail with management events enabled globally and data events enabled only for PII-classified buckets.

Reflection Question: Why does the exam distinguish between management events and data events, and what are the cost implications of enabling data events broadly?