2.2.4. Analyzing Logs with AWS Services

First Principle: Logs are only valuable when they can be queried efficiently — the speed at which you can extract relevant information during an incident directly determines your response effectiveness.

CloudWatch Logs Insights provides interactive, real-time log querying:

• Purpose-built query language for CloudWatch log groups
• Best for real-time operational queries ("show me all 5xx errors in the last hour")
• Supports cross-log-group queries for correlation
• Auto-discovers fields in JSON-structured logs

Amazon Athena enables SQL-based querying of logs stored in S3:

• Query CloudTrail logs, VPC Flow Logs, ALB logs directly in S3 using standard SQL
• No infrastructure to manage — serverless and pay-per-query
• Integrates with Security Lake Iceberg tables for OCSF-normalized data
• Best for historical investigation and ad-hoc analysis

Security Hub Findings:

• Provides a consolidated view of findings from GuardDuty, Inspector, Macie, Config
• Findings are pre-analyzed and prioritized by severity
• Supports custom insights (filtered views) for specific investigation patterns
• Enables automated workflows through EventBridge integration

Choosing the Right Analysis Tool:

⚠️ Exam Trap: Athena queries S3 data (including Security Lake). CloudWatch Logs Insights queries CloudWatch Logs. They can't query each other's data stores directly. If a question asks about querying historical S3-stored CloudTrail logs, the answer is Athena — not CloudWatch Logs Insights.

Scenario: During an incident, you need to find all API calls made by a specific access key in the last 30 days. CloudTrail logs are stored in S3. You use Athena to query: SELECT * FROM cloudtrail_logs WHERE useridentity.accesskeyid = 'AKIA...' AND eventtime > date_add('day', -30, now()).

Reflection Question: Why does the exam expect you to know when to use CloudWatch Logs Insights versus Athena, and what's the cost implication of querying the wrong data store?