Curriculum Overview: Troubleshooting AWS Security Logging and Resource Configuration

This curriculum focuses on Domain 1 (Detection) and Domain 2 (Incident Response) of the AWS Certified Security - Specialty (SCS-C03) exam. It covers the deep-dive analysis of how AWS resources generate logs, the permissions required for those logs to flow, and how to remediate common misconfigurations.

Prerequisites

Before starting this module, learners should possess:

• Foundational IAM Knowledge: Understanding of IAM Roles, Trust Policies, and Service-Linked Roles.
• CloudWatch Core Concepts: Familiarity with Log Groups, Log Streams, Retention Policies, and Metric Filters.
• Basic AWS Networking: Understanding of VPCs, Subnets, and the flow of traffic through Elastic Load Balancers and CloudFront.
• AWS Security Fundamentals: General awareness of the Shared Responsibility Model regarding logging.

Module Breakdown

Learning Objectives per Module

Module 1: The IAM Foundation

• Analyze the Trust Relationships required for services like API Gateway to assume the cloudwatch.amazonaws.com role.
• Configure resource-based policies for S3 buckets to accept logs from ELB and CloudFront.

Module 2: Serverless & App Logging

• Differentiate between API Gateway Execution Logs (detailed) and Access Logs (customizable).
• Validate Lambda execution role permissions (logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents).

Module 3: Edge & Network Visibility

• Determine the correct destination for CloudFront Standard Logs (S3) vs. Real-time Logs (Kinesis Data Streams).
• Troubleshoot Route 53 Resolver Query Logging and VPC Flow Log delivery failures.

Module 4: Advanced Remediation

• Diagnose CloudWatch Agent issues using configuration-validation.log.
• Implement automated remediation for non-compliant logging using AWS Config and Systems Manager Automation.

Visual Overview

The Logging Permission Flow

Resource Configuration Logic

\begin{tikzpicture}[node distance=2cm] \draw[thick, rounded corners] (0,0) rectangle (4,1) node[midway] {AWS Resource}; \draw[->, thick] (2,0) -- (2,-1) node[midway, right] {Generate Event}; \draw[thick] (0,-1.5) rectangle (4,-0.5) node[midway] {Logging Config}; \draw[->, thick] (2,-1.5) -- (2,-2.5) node[midway, right] {Assume Role}; \draw[thick, fill=blue!10] (0,-3.5) rectangle (4,-2.5) node[midway] {CloudWatch/S3 Target}; \draw[red, thick] (4.5,-2) circle (0.3) node {!}; \node at (7,-2) [align=left] {Critical Point:\IAM Trust Policy}; \end{tikzpicture}

Success Metrics

You have mastered this curriculum when you can:

1. Identify why logs are missing: Determine if the issue is a missing IAM permission, a service-side configuration toggle, or a destination resource policy (e.g., S3 Bucket Policy).
2. Read Log Metadata: Successfully use CloudWatch Logs Insights to parse and query logs from at least three different AWS services.
3. Perform Root Cause Analysis: Use Amazon Detective or CloudTrail to identify the specific API call that failed, resulting in a logging gap.
4. Configure Multi-Destination Logging: Setup a single resource (like VPC Flow Logs) to deliver to both S3 and CloudWatch Logs simultaneously.

Real-World Application

[!IMPORTANT] In a production environment, "blind spots" in logging are a massive security risk. If an attacker compromises a Lambda function and deletes the logs or if permissions were never set, your Incident Response team will have no forensic trail.

• Forensics: During a breach, these logs provide the "who, what, and when" necessary for legal and compliance reporting.
• Cost Management: Troubleshooting logging configurations also involves managing costs (e.g., choosing what to log in API Gateway to avoid massive CloudWatch bills).
• Audit Compliance: Maintaining continuous logging for services like CloudFront and Route 53 is a requirement for many frameworks (SOC2, PCI-DSS, HIPAA).

Appendix: Service Comparison Table