AWS prescriptive-guidance documentation change
Summary
Updated documentation for Log Archive account with formatting changes, expanded service examples, corrected links, added security best practices for Amazon Security Lake, and included new design considerations about CloudTrail costs.
Security assessment
The changes add security documentation by expanding the list of AWS services logging to S3 (including security services like GuardDuty), emphasizing S3 security controls (integrity, confidentiality, availability), and adding explicit recommendations for Security Lake including IAM policies, SCPs, S3 access notifications, and pipeline-based configuration management. However, there is no evidence of addressing a specific security vulnerability or incident.
Diff
diff --git a/prescriptive-guidance/latest/security-reference-architecture/log-archive.md b/prescriptive-guidance/latest/security-reference-architecture/log-archive.md index 7aca1738e..e174c6ee1 100644 --- a//prescriptive-guidance/latest/security-reference-architecture/log-archive.md +++ b//prescriptive-guidance/latest/security-reference-architecture/log-archive.md @@ -3 +3 @@ -[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture](welcome.html) +[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture (AWS SRA) – core architecture](introduction.html) @@ -7 +7 @@ Types of logsAmazon S3 as central log storeAmazon Security Lake -# Security OU - Log Archive account +# Security OU – Log Archive account @@ -14 +14 @@ The following diagram illustrates the AWS security services that are configured - + @@ -20,4 +20 @@ The Log Archive account is dedicated to ingesting and archiving all security-rel - * Operational log data used by your infrastructure, operations, and workload teams often overlaps with the log data used by security, audit, and compliance teams. We recommend that you consolidate your operational log data into the Log Archive account. Based on your specific security and governance requirements, you might need to filter operational log data saved to this account. You might also need to specify who has access to the operational log data in the Log Archive account. - - - +Operational log data used by your infrastructure, operations, and workload teams often overlaps with the log data used by security, audit, and compliance teams. We recommend that you consolidate your operational log data into the Log Archive account. Based on your specific security and governance requirements, you might need to filter operational log data saved to this account. You might also need to specify who has access to the operational log data in the Log Archive account. @@ -27 +24 @@ The Log Archive account is dedicated to ingesting and archiving all security-rel -The primary logs shown in the AWS SRA include CloudTrail (organization trail), Amazon VPC flow logs, access logs from Amazon CloudFront and AWS WAF, and DNS logs from Amazon Route 53. These logs provide an audit of actions taken (or attempted) by a user, role, AWS service, or network entity (identified, for example, by an IP address). Other log types (for example, application logs or database logs) can be captured and archived as well. For more information about log sources and logging best practices, see the [security documentation for each service](https://docs.aws.amazon.com/security/). +The primary logs shown in the AWS SRA include AWS CloudTrail (organization trail), Amazon VPC flow logs, access logs from Amazon CloudFront and AWS WAF, and DNS logs from Amazon Route 53. These logs provide an audit of actions taken (or attempted) by a user, role, AWS service, or network entity (identified, for example, by an IP address). Other log types (for example, application logs or database logs) can be captured and archived as well. For more information about log sources and logging best practices, see the [security documentation for each service](https://docs.aws.amazon.com/security/). @@ -31 +28 @@ The primary logs shown in the AWS SRA include CloudTrail (organization trail), A -Many AWS services log information in Amazon S3—either by default or exclusively. AWS CloudTrail, Amazon VPC Flow Logs, AWS Config, and Elastic Load Balancing are some examples of services that log information in Amazon S3. This means that log integrity is achieved through S3 object integrity; log confidentiality is achieved through S3 object access controls; and log availability is achieved through S3 Object Lock, S3 object versions, and S3 Lifecycle rules. By logging information in a dedicated and centralized S3 bucket that resides in a dedicated account, you can manage these logs in just a few buckets and enforce strict security controls, access, and separation of duties. +Many AWS services log information in Amazon S3—either by default or exclusively. AWS CloudTrail, Amazon VPC Flow Logs, Elastic Load Balancing, Amazon GuardDuty, AWS Config, and AWS WAF are some examples of services that log information in Amazon S3. This means that log integrity is achieved through S3 object integrity; log confidentiality is achieved through S3 object access controls; and log availability is achieved through S3 Object Lock, S3 object versions, and S3 Lifecycle rules. By logging information in a dedicated and centralized S3 bucket that resides in a dedicated account, you can manage these logs in just a few buckets and enforce strict security controls, access, and separation of duties. @@ -41 +38 @@ In addition to protecting the S3 bucket itself, you can adhere to the principle -Use detective controls, such as those delivered by AWS Config and AWS IAM Access Analyzer, to monitor (and alert and remediate) this broader collective of preventive controls for unexpected changes. +Use detective controls, such as those delivered by AWS Config and IAM Access Analyzer, to monitor (and alert and remediate) this broader collective of preventive controls for unexpected changes. @@ -43 +40 @@ Use detective controls, such as those delivered by AWS Config and AWS IAM Access -For a deeper discussion of security best practices for S3 buckets, see the [Amazon S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html), [online tech talks](https://www.youtube.com/watch?v=7M3s_ix9ljE), and the blog post [Top 10 security best practices for securing data in Amazon S3](https://aws.amazon.com/blogs/security/top-10-security-best-practices-for-securing-data-in-amazon-s3/). +For a deeper discussion of security best practices for S3 buckets, see the [Amazon S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html), [online tech talks](https://www.youtube.com/watch?v=7M3s_ix9ljE), and the blog post [Top 10 security best practices for securing data in Amazon S3](https://aws.amazon.com/blogs/security/top-10-security-best-practices-for-securing-data-in-amazon-s3/). @@ -53 +50 @@ AWS SRA recommends that you use the Log Archive account as the delegated adminis -To protect the availability of the logs and the log management process, the S3 buckets for Security Lake should be accessed only by the Security Lake service or by IAM roles that are managed by Security Lake for sources or subscribers. In addition to using preventive controls—such as assigning least-privilege roles for access, and encrypting logs with a controlled AWS Key Management Services (AWS KMS) key—use detective controls such as AWS Config to monitor (and alert and remediate) this collection of permissions for unexpected changes. +To protect the availability of the logs and the log management process, the S3 buckets for Security Lake should be accessed only by the Security Lake service or by IAM roles that are managed by Security Lake for sources or subscribers. In addition to using preventive controls―such as assigning least-privilege roles for access, and encrypting logs with a controlled AWS KMS key―use detective controls such as AWS Config to monitor (and alert and remediate) this collection of permissions for unexpected changes. @@ -61 +58,5 @@ AWS Security Hub CSPM is a supported native data source in Security Lake, and yo -To gain visibility and actionable insights from logs and events, you can query the data by using tools such as [Amazon Athena](https://docs.aws.amazon.com/athena/latest/ug/what-is.html), [Amazon OpenSearch Service](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html), [Amazon Quicksight](https://docs.aws.amazon.com/quicksight/latest/developerguide/welcome.html), and third-party solutions. Users who require access to the Security Lake log data shouldn’t access the Log Archive account directly. They should access data only from the Security Tooling account. Or they can use other AWS accounts or on-premises locations that provide analytics tools such as OpenSearch Service, QuickSight, or third-party tools such as security information and event management (SIEM) tools. To provide access to the data, the administrator should configure [Security Lake subscribers](https://docs.aws.amazon.com/security-lake/latest/userguide/subscriber-management.html) in the Log Archive account and configure the account that needs access to the data as a [query access subscriber](https://docs.aws.amazon.com/security-lake/latest/userguide/subscriber-query-access.html). For more information, see [Amazon Security Lake](./security-tooling.html#tool-security-lake) in the _Security OU – Security Tooling account_ section of this guide. +To gain visibility and actionable insights from logs and events, you can query the data by using tools such as [Amazon Athena](https://docs.aws.amazon.com/athena/latest/ug/what-is.html), [Amazon OpenSearch Service](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html), [Amazon Quick Suite](https://docs.aws.amazon.com/quicksuite/latest/userguide/what-is.html), and third-party solutions. Users who require access to the Security Lake log data shouldn't access the Log Archive account directly. They should access data only from the Security Tooling account. Or they can use other AWS accounts or on-premises locations that provide analytics tools such as OpenSearch Service, Quick Suite, or third-party tools such as security information and event management (SIEM) tools. To provide access to the data, the administrator should configure [Security Lake subscribers](https://docs.aws.amazon.com/security-lake/latest/userguide/subscriber-management.html) in the Log Archive account and configure the account that needs access to the data as a [query access subscriber](https://docs.aws.amazon.com/security-lake/latest/userguide/subscriber-query-access.html). For more information, see [Amazon Security Lake](./security-tooling.html#tool-security-lake) in the _Security OU ‒ Security Tooling account_ section of this guide. + +Security Lake provides an AWS managed policy to help you manage administrator access to the service. For more information, see the [Security Lake User Guide](https://docs.aws.amazon.com/security-lake/latest/userguide/security-iam-awsmanpol.html). As a best practice, we recommend that you restrict the configuration of Security Lake through development pipelines and prevent configuration changes through the AWS consoles or the AWS Command Line Interface (AWS CLI). Additionally, you should set up strict IAM policies and service control policies (SCPs) to provide only necessary permissions to manage Security Lake. You can [configure notifications](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html) to detect any direct access to these S3 buckets. + +###### Design consideration @@ -63 +64 @@ To gain visibility and actionable insights from logs and events, you can query t -Security Lake provides an AWS managed policy to help you manage administrator access to the service. For more information, see the [Security Lake User Guide](https://docs.aws.amazon.com/security-lake/latest/userguide/security-iam-awsmanpol.html). As a best practice, we recommend that you restrict the configuration of Security Lake through development pipelines and prevent configuration changes through the AWS consoles or the AWS Command Line Interface (AWS CLI). Additionally, you should set up strict IAM policies and service control policies (SCPs) to provide only necessary permissions to manage Security Lake. You can [configure notification](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html)s to detect any direct access to these S3 buckets. +When you enable CloudTrail management events in Security Lake, they result in Security Lake charges. The collection of CloudTrail management events in Security Lake requires an CloudTrail multi-Region organization trail that collects read and write CloudTrail management events. This first trail is available at no cost to you. CloudTrail management events typically make up a small percentage (around 5%) of total CloudTrail events. This applies to customers who use AWS Control Tower or have centralized CloudTrail logs in a Log Archive account. @@ -71 +72 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Security OU - Security Tooling account +Security OU – Security Tooling account @@ -73 +74 @@ Security OU - Security Tooling account -Infrastructure OU - Network account +Infrastructure OU – Network account