Curriculum Overview: Designing and Implementing AWS Logging Solutions

This curriculum is designed for security engineers and architects preparing for the AWS Certified Security - Specialty (SCS-C03) exam. It focuses on the end-to-end lifecycle of security logs: from identification and ingestion to centralized storage and forensic analysis.

Prerequisites

Before starting this curriculum, learners should possess:

• Foundational AWS Knowledge: Equivalent to the AWS Certified Cloud Practitioner or Solutions Architect Associate.
• Identity & Access Management (IAM): Proficiency in writing and troubleshooting IAM policies, specifically for cross-account resource access.
• Command Line Interface (CLI): Ability to use the AWS CLI for service configuration and log querying.
• Networking Basics: Understanding of VPCs, Subnets, and Flow Logs.

Module Breakdown

Learning Objectives per Module

Module 1: Foundations of Logging & Auditability

• Determine monitoring requirements based on workload sensitivity.
• Understand the "Big Idea": Logging as the "Source of Truth" for security incidents.

Module 2: Core Management Logging

• Configure CloudTrail: Set up organizational trails and understand the difference between Management and Data events.
• AWS Config: Implement configuration recorders and Conformance Packs for compliance monitoring.

Module 3: Network & Edge Protection Logging

• VPC Flow Logs: Configure ingestion for VPCs and Transit Gateways to monitor traffic patterns.
• Edge Logs: Implement logging for CloudFront, AWS WAF, and Route 53 Resolver.

Module 4: Centralization & Storage

• Amazon Security Lake: Implement a centralized data lake using the Open Cybersecurity Schema Framework (OCSF).
• Log Integrity: Configure S3 Object Lock and MFA Delete to prevent log tampering.

Module 5: Analysis & Forensics

• Log Insights: Use CloudWatch Logs Insights to query logs across multiple groups.
• Correlation: Use Amazon Detective to visually map interactions between users and resources over time.

Visual Overview

The Logging Lifecycle

Log Integrity via Hashing (TikZ)

Success Metrics

How to know you have mastered this curriculum:

1. Metric 1: Ability to configure a cross-account CloudWatch Logs destination for centralized log aggregation.
2. Metric 2: Successful execution of an Athena query to identify "Access Denied" errors across 6 months of CloudTrail logs in under 1 minute.
3. Metric 3: Implementation of an S3 Bucket Policy that enforces encryption (SSE-KMS) and denies non-TLS traffic for all log uploads.
4. Metric 4: Mastery of OCSF (Open Cybersecurity Schema Framework) terminology and its application within Amazon Security Lake.

Real-World Application

[!IMPORTANT] In a production environment, logs are not just for debugging; they are forensic evidence.

• Compliance Audits: Using centralized logs to provide auditors with a point-in-time view of infrastructure changes (PCI-DSS, HIPAA, SOC2).
• Incident Response (IR): Using Amazon Detective during a suspected breach to identify the blast radius of a compromised IAM credential.
• Cost Management: Applying S3 Lifecycle policies to transition 90-day-old VPC Flow Logs to S3 Glacier Deep Archive, reducing storage costs by up to 90%.
• Threat Hunting: Proactively searching for anomalous outbound traffic patterns (C2 callbacks) using Amazon OpenSearch Service and managed Grafana dashboards.

Comparison of Primary Log Sources