Curriculum Overview: Designing and Implementing AWS Logging Solutions

This curriculum is designed for security engineers and architects preparing for the AWS Certified Security - Specialty (SCS-C03) exam. It focuses on the end-to-end lifecycle of security logs: from identification and ingestion to centralized storage and forensic analysis.

Prerequisites

Before starting this curriculum, learners should possess:

• Foundational AWS Knowledge: Equivalent to the AWS Certified Cloud Practitioner or Solutions Architect Associate.
• Identity & Access Management (IAM): Proficiency in writing and troubleshooting IAM policies, specifically for cross-account resource access.
• Command Line Interface (CLI): Ability to use the AWS CLI for service configuration and log querying.
• Networking Basics: Understanding of VPCs, Subnets, and Flow Logs.

Module Breakdown

Learning Objectives per Module

Module 1: Foundations of Logging & Auditability

• Determine monitoring requirements based on workload sensitivity.
• Understand the "Big Idea": Logging as the "Source of Truth" for security incidents.

Module 2: Core Management Logging

• Configure CloudTrail: Set up organizational trails and understand the difference between Management and Data events.
• AWS Config: Implement configuration recorders and Conformance Packs for compliance monitoring.

Module 3: Network & Edge Protection Logging

• VPC Flow Logs: Configure ingestion for VPCs and Transit Gateways to monitor traffic patterns.
• Edge Logs: Implement logging for CloudFront, AWS WAF, and Route 53 Resolver.

Module 4: Centralization & Storage

• Amazon Security Lake: Implement a centralized data lake using the Open Cybersecurity Schema Framework (OCSF).
• Log Integrity: Configure S3 Object Lock and MFA Delete to prevent log tampering.

Module 5: Analysis & Forensics

• Log Insights: Use CloudWatch Logs Insights to query logs across multiple groups.
• Correlation: Use Amazon Detective to visually map interactions between users and resources over time.

Visual Overview

The Logging Lifecycle

Log Integrity via Hashing (TikZ)

\begin{tikzpicture}[node distance=2cm, auto] \draw[thick] (0,0) rectangle (2,1) node[pos=.5] {Log Data}; \draw[->, thick] (2,0.5) -- (3.5,0.5) node[midway, above] {Hash}; \draw[thick, fill=gray!20] (3.5,-0.5) rectangle (5.5,1.5) node[pos=.5, text width=1.5cm, align=center] {Digital Signature}; \draw[dashed] (0,-1) -- (5.5,-1) node[midway, below] {Immutable Storage (S3 Object Lock)}; \end{tikzpicture}

Success Metrics

How to know you have mastered this curriculum:

1. Metric 1: Ability to configure a cross-account CloudWatch Logs destination for centralized log aggregation.
2. Metric 2: Successful execution of an Athena query to identify "Access Denied" errors across 6 months of CloudTrail logs in under 1 minute.
3. Metric 3: Implementation of an S3 Bucket Policy that enforces encryption (SSE-KMS) and denies non-TLS traffic for all log uploads.
4. Metric 4: Mastery of OCSF (Open Cybersecurity Schema Framework) terminology and its application within Amazon Security Lake.

Real-World Application

[!IMPORTANT] In a production environment, logs are not just for debugging; they are forensic evidence.

• Compliance Audits: Using centralized logs to provide auditors with a point-in-time view of infrastructure changes (PCI-DSS, HIPAA, SOC2).
• Incident Response (IR): Using Amazon Detective during a suspected breach to identify the blast radius of a compromised IAM credential.
• Cost Management: Applying S3 Lifecycle policies to transition 90-day-old VPC Flow Logs to S3 Glacier Deep Archive, reducing storage costs by up to 90%.
• Threat Hunting: Proactively searching for anomalous outbound traffic patterns (C2 callbacks) using Amazon OpenSearch Service and managed Grafana dashboards.

Comparison of Primary Log Sources