Curriculum Overview: AWS Cloud Security Logging and Monitoring

This curriculum provides a comprehensive pathway to mastering the capture, location, and analysis of security-related logs within the AWS ecosystem. It aligns with the AWS Certified Cloud Practitioner (CLF-C02) exam objectives, specifically Task Statement 2.2.

## Prerequisites

Before beginning this curriculum, learners should have a foundational understanding of the following concepts:

• AWS Shared Responsibility Model: Understanding the division of security duties between AWS (Security of the Cloud) and the Customer (Security in the Cloud).
• Basic Cloud Infrastructure: Familiarity with services like Amazon EC2, Amazon S3, and Amazon VPC.
• IAM Fundamentals: Knowledge of Users, Groups, and the Principle of Least Privilege.
• JSON Syntax: Ability to read basic JavaScript Object Notation, as most AWS logs are delivered in this format.

---

## Module Breakdown

---

## Module Objectives per Module

Module 1: AWS CloudTrail

• Differentiate between Management Events and Data Events.
• Identify where to locate the 90-day default event history.
• Configure a Trail for multi-region logging and long-term storage in S3.

Module 2: Amazon CloudWatch Logs

• Understand the hierarchy: Log Groups $\rightarrow$ Log Streams $\rightarrow$ Log Events.
• Implement Metric Filters to extract security data (e.g., counting 403 Forbidden errors).

Module 3: Storage and Integrity

• Enable Log File Integrity Validation to ensure audit logs haven't been tampered with.
• Apply Server-Side Encryption (SSE-S3 or SSE-KMS) to log buckets.

---

## Examples

[!TIP] Always remember: CloudTrail is about "Who did what?" (Auditing), while CloudWatch is about "What is happening now?" (Performance/Monitoring).

Scenario 1: Identifying Unauthorized Access

If an IAM user attempts to delete an S3 bucket and is denied, the event is captured in CloudTrail.

• Location: CloudTrail Event History.
• Key Detail: Look for AccessDenied in the errorCode field.

Scenario 2: Monitoring Web Server Errors

You want to know if your web application is experiencing a spike in unauthorized requests.

• Location: CloudWatch Logs.
• Process: Create a Metric Filter searching for the string "403". If the count exceeds 10 in 5 minutes, trigger an alarm.

Scenario 3: Validating Log Authenticity

A compliance auditor asks for proof that logs from six months ago have not been modified.

• Location: Amazon S3.
• Method: Use the CloudTrail Digest File. It contains a cryptographic hash of the log files. If even one bit of the log changed, the hash would not match.

---

## Success Metrics

To demonstrate mastery of this curriculum, the learner must be able to:

1. Locate security events within the CloudTrail console within 2 minutes of a simulated incident.
2. Configure a CloudWatch Alarm that triggers based on a specific keyword found in a log stream.
3. Explain the difference between a single-region and all-region trail.
4. Describe how CloudWatch and CloudTrail integrate to provide "Full Traceability" (an AWS Design Principle).

---

## Real-World Application

1. Incident Response

Security Operations Center (SOC) analysts use these logs to perform "post-mortem" analyses after a breach to identify the entry point and the extent of the "blast radius."

2. Compliance and Auditing

For industries like Finance or Healthcare, maintaining an immutable audit trail (via CloudTrail + S3 Locking) is a legal requirement for SOC2, HIPAA, or PCI-DSS compliance.

3. Automated Defense

By streaming logs to CloudWatch, organizations can use AWS Lambda to automatically revoke permissions or isolate an EC2 instance the moment a suspicious API call is detected.

[!IMPORTANT] By default, CloudTrail only stores 90 days of management events. For security and compliance, you must create a Trail to store logs in S3 for longer durations.