BrainyBeeBrainyBee
Exam Cram Sheet925 words

AWS Certified Security - Specialty: Logging Solutions Cram Sheet

Design and implement logging solutions

AWS Certified Security - Specialty: Logging Solutions Cram Sheet

This cram sheet covers the essential strategies for designing and implementing logging solutions within the AWS ecosystem, specifically focused on the Detection (Domain 1) and Incident Response (Domain 2) areas of the SCS-C03 exam.

Topic Weighting

DomainWeightingTask Connection
Domain 1: Detection32%Task 1.2: Design and implement logging solutions
Domain 2: Incident Response20%Task 2.2: Respond to security events (forensic logging)

[!IMPORTANT] Centralization and Integrity are the two most frequently tested themes regarding logging in the Security Specialty exam.

Key Concepts Summary

1. AWS CloudTrail

  • Management Events: Default logging for control plane operations (e.g., RunInstances, TerminateInstances).
  • Data Events: High-volume resource operations (e.g., S3 GetObject, Lambda Invoke). Disabled by default due to cost.
  • Organization Trails: Created in the Management Account (or delegated admin); logs all accounts in the Org to a single S3 bucket.
  • Log File Validation: Uses SHA-256 hashing and digital signing to ensure logs haven't been tampered with after delivery.

2. CloudWatch Logs

  • Log Groups/Streams: Logical containers for log data.
  • Retention Policies: Configurable from 1 day to "Never Expire." Essential for compliance cost-management.
  • Log Insights: Fast, interactive query language for searching logs without needing Athena/OpenSearch.

3. VPC Flow Logs

  • Capture Filter: ALL, ACCEPT, or REJECT traffic.
  • Metadata: Captures Source/Dest IP, Port, Protocol, Bytes, and Packets. Does not capture the packet payload.

4. Amazon Security Lake

  • OCSF (Open Cybersecurity Schema Framework): Normalizes logs from diverse sources into a standard format.
  • Centralization: Automatically collects logs from CloudTrail, VPC Flow Logs, and Route 53 into an S3-backed data lake.

Visual Anchors

Centralized Logging Architecture

Loading Diagram...

Log Integrity Verification Process

Compiling TikZ diagram…
Running TeX engine…
This may take a few seconds

Common Pitfalls

  • ❌ DON'T store logs in the same account they are generated. If the account is compromised, the attacker can delete the logs.
  • ❌ DON'T forget to update the S3 Bucket Policy in the central account to allow s3:PutObject from the cloudtrail.amazonaws.com service principal.
  • ❌ DON'T enable S3 Data Events for all buckets unless strictly required for compliance; it is extremely expensive for high-traffic buckets.
  • ❌ DON'T assume CloudTrail captures everything; it does not capture data-plane actions for most services unless explicitly enabled.

Mnemonics / Memory Triggers

  • VICA (VPC Flow Logs): Version, Interface-ID, Capture-Filter, Action (Accept/Reject).
  • S3-LOG-SAFE: Server-side encryption, Lifecycle policies, Object lock (WORM), Glacier for long-term storage.
  • TRAIL-VAL: Tamper Resistance And Integrity Layer — Validation Always Leveraged.

Formula / Equation Sheet

Log SourcePrimary DestinationFormatUse Case
CloudTrailS3 / CloudWatch LogsJSONAPI auditing, user tracking
VPC Flow LogsS3 / CloudWatch LogsSpace-delimitedNetwork forensics, NACL testing
S3 Access LogsS3 BucketProprietary TextObject-level access tracking (Cheaper than CloudTrail Data Events)
Route 53 LogsCloudWatch LogsTextDNS Query troubleshooting
WAF LogsCloudWatch / S3 / FirehoseJSONWeb request inspection/filtering

Practice Set

  1. Which CloudTrail feature ensures that logs delivered to S3 have not been modified, deleted, or forged?
  2. To aggregate CloudTrail logs from 50 different accounts into a single bucket, what is the most efficient configuration?
  3. A security engineer needs to analyze web traffic patterns for a specific VPC. The logs must include source/destination IP and whether the traffic was dropped. Which service should be enabled?
  4. You need to search through 100GB of CloudWatch Logs for a specific error string using a SQL-like syntax. Which tool is best suited?
  5. Which framework does Amazon Security Lake use to normalize different log types?

Worked Examples

Scenario: Secure Centralized Logging for an Organization

Goal: Capture all API activity across an AWS Organization and ensure no account owner can delete their own logs.

  1. Step 1: Create a Central Logging Account. Create a dedicated AWS account (e.g., "Log-Archive-Account").
  2. Step 2: Create a Central S3 Bucket. In the Log-Archive account, create a bucket with SSE-KMS encryption and S3 Object Lock (Compliance mode) enabled.
  3. Step 3: Configure Organization Trail. In the Organization Management account, go to CloudTrail and create an "Organization Trail."
  4. Step 4: Set Destination. Point the trail to the S3 bucket in the Log-Archive account.
  5. Step 5: Implement Least Privilege. Apply an SCP (Service Control Policy) to all member accounts that denies cloudtrail:StopLogging, cloudtrail:DeleteTrail, and s3:DeleteObject on the log bucket.

Fact Recall Blanks

  • CloudTrail Log File Validation uses ______ (Hashing algorithm).
  • To stream CloudWatch Logs to a 3rd party SIEM in near real-time, use a ______ filter.
  • VPC Flow Logs capture ______ (Protocol) and ______ (Port) but not the actual data payload.
  • Amazon Security Lake stores data in ______ (Storage service) using the ______ (Format name) schema.
  • The default retention for CloudWatch Logs is ______.

Answers to Recall Blanks: SHA-256; Subscription; Protocol/Port; S3/OCSF; Never Expire.

All AWS Certified Security - Specialty (SCS-C03) Study Resources

Ready to study AWS Certified Security - Specialty (SCS-C03)?

Practice tests, flashcards, and all study notes — free, no sign-up needed.

Start Studying — Free