CSA CCM LOG-01
Logging and Monitoring Policy and Procedures

Without clear policies and procedures to guide logging and monitoring activities, an organization may lack visibility into potential security incidents and be unable to respond effectively. The LOG-01 control from the Cloud Security Alliance Cloud Controls Matrix helps organizations establish a strong foundation for logging and monitoring in the cloud.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26, which can be downloaded at https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4. The CCM is a comprehensive set of controls designed to help organizations assess the security posture of cloud providers and guide security efforts. LOG-01 is part of the Logging and Monitoring domain.

For more background, check out the AWS CloudTrail documentation at https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html and the AWS CloudWatch docs at https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html.

Who should care?

This control is relevant for:

  • Security analysts with responsibility for detecting and investigating security incidents
  • DevOps engineers with ownership of production workloads running in the cloud
  • Compliance officers with oversight of the organization's adherence to regulatory requirements
  • IT leaders with accountability for the overall security of the company's cloud footprint

What is the risk?

Without robust logging and monitoring policies and procedures, an organization faces increased risk of:

  • Security incidents going undetected, leading to data breaches or system compromises
  • Inability to determine root cause of an incident due to lack of sufficient logging
  • Failure to meet compliance requirements around logging and alerting
  • Uncoordinated response to incidents due to unclear roles and responsibilities

While LOG-01 alone cannot fully mitigate these risks, it is an essential foundational control. Clear policies set expectations and enable investments in tooling and headcount to put the procedures into action.

What's the care factor?

For any organization operating in the cloud, LOG-01 should be a high priority control to implement. Logging and monitoring are key ingredients for maintaining strong cyber hygiene. With the complexity and pace of change in cloud environments, having clearly defined policies is a must.

The care factor is especially high for organizations beholden to external compliance requirements such as HIPAA, PCI DSS, SOC 2, etc. Auditors will look for evidence of logging and monitoring policies and procedures. Lack of these artifacts will lead to audit findings.

When is it relevant?

LOG-01 is relevant for virtually any workload deployed in a cloud environment like AWS, Azure, or GCP. Even a simple static website should have some level of logging to detect unauthorized changes.

The control becomes increasingly critical for:

  • Internet-facing applications that handle sensitive data
  • Multi-tenant SaaS applications
  • Workloads subject to regulatory requirements
  • Complex microservices architectures

A rare example of when LOG-01 may not apply is an isolated development environment with mock non-sensitive data used for testing.

What are the trade offs?

Implementing logging and monitoring per LOG-01 comes with some costs and considerations:

  • Logging everything generates large volumes of data that can be expensive to store and analyze. Organizations need to be thoughtful about what to log and for how long to balance value vs cost.
  • More logging means more potential exposure of sensitive data. Policies must be carefully designed to ensure proper access controls and retention periods.
  • Someone has to be responsible for regularly reviewing logs and responding to alerts. This typically requires a 24x7 Security Operations Center which is a significant investment.
  • Policies and procedures are only effective if they are enforced. It takes discipline from engineering and leadership to ensure controls are consistently implemented.

How to make it happen?

To implement LOG-01 in an AWS environment:

  1. Define the policy. Document what needs to be logged (user access, privileged actions, resource changes, etc), how long to retain logs, who should have access, and incident response procedures. Gain approval from stakeholders.
  2. Enable AWS CloudTrail on all accounts. Configure it to send logs to a secured S3 bucket. Enable log file integrity validation.
  3. Configure AWS Config to record resource changes and send notifications.
  4. Set up Amazon GuardDuty for intelligent threat detection based on logs.
  5. Use AWS IAM to enforce tight access control policies on log storage and management services.
  6. Configure AWS CloudWatch to collect and analyze logs. Set up metric filters and alarms to alert on key events.
  7. Integrate with a SIEM tool like Splunk or SumoLogic for centralized log aggregation and correlation.
  8. Implement processes for regular log review, incident investigation, and compliance reporting. Test procedures annually.
  9. Train all staff on logging policies and their roles in implementation.

What are some gotchas?

A few things to watch out for when implementing LOG-01 on AWS:

  • By default, CloudTrail only logs management events. Make sure to enable data events for S3 buckets and other key resources.
  • Logs are only useful if you look at them. Don't set and forget. Regularly review CloudTrail logs at a minimum.
  • Restrict access to log files. They often contain sensitive data. Remember the principle of least privilege. Key IAM permissions to tighten:
    • s3:GetObject on the CloudTrail bucket
    • cloudtrail:GetTrailStatus
    • cloudwatch:GetMetricData
    • cloudwatch:GetDashboard
  • GuardDuty is not a silver bullet. It still requires tuning and human analysis to get value.

What are the alternatives?

LOG-01 is primarily focused on establishing policies and procedures vs prescribing specific tooling. As such, there aren't direct alternatives, but a few things to consider:

  • Leverage cloud-native logging tools vs third-party. AWS has robust services that are tightly integrated, but tools like Splunk are also popular.
  • Consider an open source SIEM like the ELK stack as an alternative to commercial tools.
  • Outsource log management and security monitoring to an MSSP vs doing it in-house. Still need the policies though!

Explore Further

Hope this helps explain the importance of establishing clear logging and monitoring policies in the cloud! Let me know if you have any other questions.

?

Blog

Learn cloud security with our research blog