Cloud Incident Response

Dear community,

Effective security incident response depends on adequate logging. If you have the proper logs and can query them, you can respond more rapidly and effectively to security events. If a security event occurs, you can use various log sources to validate what happened and understand the scope. Then, you can use the results of your analysis to take remediation actions. 

Is there any document that outlines the minimum log requirements, that all services within an AWS account must send to the Security Operation Center?

Regards,

Dear community,

Effective security incident response depends on adequate logging. If you have the proper logs and can query them, you can respond more rapidly and effectively to security events. If a security event occurs, you can use various log sources to validate what happened and understand the scope. Then, you can use the results of your analysis to take remediation actions. 

Is there any document that outlines the minimum log requirements, that all services within an AWS account must send to the Security Operation Center?

Regards,

This depends on your threat model, but a good practical reference is available here: https://aws.amazon.com/blogs/security/logging-strategies-for-security-incident-response/

Dear community,

Effective security incident response depends on adequate logging. If you have the proper logs and can query them, you can respond more rapidly and effectively to security events. If a security event occurs, you can use various log sources to validate what happened and understand the scope. Then, you can use the results of your analysis to take remediation actions. 

Is there any document that outlines the minimum log requirements, that all services within an AWS account must send to the Security Operation Center?

Regards,

The below logs need to be collected 
Logs of all API calls made to AWS services.
Logs of S3 object-level operations and Lambda function invocations.
unusual API activity patterns.
Records of configuration changes to AWS resources.
logs of requests made to CloudFront distributions
Logs of requests made to S3 buckets.
Logs of requests sent to ELB, including client IP addresses and request paths.

Also, need to ensure that logs are retained for an appropriate period to meet compliance requirements

This depends on your threat model, but a good practical reference is available here: https://aws.amazon.com/blogs/security/logging-strategies-for-security-incident-response/

Dear community,

Effective security incident response depends on adequate logging. If you have the proper logs and can query them, you can respond more rapidly and effectively to security events. If a security event occurs, you can use various log sources to validate what happened and understand the scope. Then, you can use the results of your analysis to take remediation actions. 

Is there any document that outlines the minimum log requirements, that all services within an AWS account must send to the Security Operation Center?

Regards,

Dear community,

Effective security incident response depends on adequate logging. If you have the proper logs and can query them, you can respond more rapidly and effectively to security events. If a security event occurs, you can use various log sources to validate what happened and understand the scope. Then, you can use the results of your analysis to take remediation actions. 

Is there any document that outlines the minimum log requirements, that all services within an AWS account must send to the Security Operation Center?

Regards,