AWS-Native Services

Logging Services

The primary security logging services in AWS are:

• AWS CloudTrail
• Amazon CloudWatch
• VPC Flow Logs
• Amazon Route 53 Query

Types of logs

There are generally two broad categories of logging:

• Control plane events
• Services logs

Control plane events are events that happen at the management layer, meaning the layer responsible for managing and controlling cloud resources. This could be creating, modifying, or deleting a resource. For example, if someone modifies a security group's rules, that would be considered a control plane event.

Service logs, instead, are more specific logs that are generated by individual services or applications.

Example:

If you have AWS Lambda functions executing code and writing logs, those would be considered service logs. If someone goes in and creates a new Lambda function, then that would be a control plane event.

Log aggregators

The primary security logging aggregators in AWS are:

• Amazon S3
• Amazon Security Lake
• Amazon Kinesis Data Firehose
• Amazon Athena

Visualization

The primary security visualization services in AWS:

• Amazon OpenSearch
• Amazon QuickSight
• Amazon Managed Grafana
• Amazon CloudWatch (offers custom dashboards)