Centralized audit logs
Audit logs from all cloud tenants (API/resource access) are centrally collected and stored. Audit Logs are records of what actions were performed by whom. A centralized audit log stores audit logs from all cloud tenants.
The audit logs we need to store here cover interactions with the cloud API. A common example would be answering the question “who deployed and configured this specific Cloud Function?”. This is important to balance the freedom given to teams: “We let you deploy your own workload, but we will be looking over your shoulders”.
Centralized audit logs make an analysis of logs easier for auditors. Standardizing and providing a centralized audit log as part of Landing Zones frees application teams from the burden of finding out how to comply with auditor requirements.
Make your Cloud Security a Priority
Standardizing and providing a centralized audit log as part of Landing Zones frees application teams from the burden of finding out how to comply with auditor requirements.
Learn more →Proven Patterns When Implementing Centralized Audit Logs
Store and Retain First, Worry about Analytics Later
Audit logs enable incident analysis right at the start. You can still build SIEM and preventive capabilities later. See (Cloud SIEM).
Carefully Guard Access to Centralized Audit Logs
Application teams are responsible for keeping secrets from leaking into logs. Even with rolling credentials, there is a chance that centralized audit logs contain sensible information. Therefore access should be restricted carefully to minimize risk.
Create a Concept That Outlines Your Centralized Audit Log Strategy
Application teams and Auditors want to know how the system works and need to know how to interact with it. Laying it out in a concept that is shared widely reduces dependencies.
How Implement Centralized Audit Logs
Azure
Create a Log analytics workspace
Assign the policy “Configure Azure Activity logs to stream to specified Log Analytics workspace” which set diagnostic settings for the azure activity log.
AWS
To set up central audit logs in AWS, set up AWS CloudTrail and Amazon CloudWatch.
Add the following Service Control Policy to prevent CloudTrail from being switched off
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudtrail:StopLogging",
"cloudtrail:DeleteTrail"
],
"Resource": "*",
"Effect": "Deny"
}
]
}
2
3
4
5
6
7
8
9
10
11
12
13
Similarly, add the following Service Control Policy for preventing changes to AWS Config
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"config:DeleteConfigRule",
"config:DeleteConfigurationRecorder",
"config:DeleteDeliveryChannel",
"config:StopConfigurationRecorder"
],
"Resource": "*",
"Effect": "Deny"
}
]
}
2
3
4
5
6
7
8
9
10
11
12
13
14
15
GCP
To set up central audit logs in Google Cloud Platform (GCP), you can utilize Cloud Audit Logs and Cloud Monitoring. Cloud audit logs are always enabled and can not be switched off.
However, we recommend to additionally switch on Data Access Logs. See Google Cloud documentation for how to do that.
Related Tools
- GCP Fabric FAST
By default, it captures logs from GCP’s Cloud Audit and VPC Service Control violations. It can be further customized to capture even more logs by configuring what is so-called log sinks. That way you can i.e. push logs to BigQuery or a SIEM solution.
Learn More - GCP CFT - Example Foundation
Centralized Audit Logs are applied and you can configure exports to BigQuery, pub/sub systems, and more.
Learn More - GCP Setup Checklist
Basic centralized logging is configured by default. You have to follow manual steps to push logs to BigQuery, SIEM, etc.
Learn More - Azure LZ Terraform module - ES
Deploys log analytics workspace that enables centralized audit logging as part of the “Management Resources ” module
Learn More - Azure CAF Terraform Modules
Deploys log analytics workspace that enables centralized audit logging as part of the “Management Resources ” module
Learn More - AWS Control Tower with Account Factory
Enables CloudTrail service to aggregate action and event logs into the shared Log Archive account from different AWS accounts and records them in CloudWatch. With CT release ≥ 3.0, an organization trail is created to gather event logs on an organization level instead of a member trail that gathers logs on a per account basis.
Learn More - AWS Control Tower with AFT
With AFT, you can also enable CloudTrail data events. Data events are events performed on or within a resource. These are disabled by default as they often incur high costs. This is done when deploying AFT by setting aft_feature_cloudtrail_data_events to true.
Learn More - AWS Landing Zone Accelerator
Uses the LogArchive Account to store the logs. It can be configured easily which logs shall be included.
Learn More
