Audit Trails and Activity Logs

CloudWatch Logs
AWS CloudWatch Logs is the preferred service for aggregating and accessing recent logs. It integrates with other AWS services, providing a unified Web-based view of log types across multiple sources, eliminating the new to connect to individual servers and find specific files.

Accessing and Filtering Logs
Logs are available in the AWS Console under the CloudWatch service, then navigating to Logs / Log Groups. See View Log Data Sent to CloudWatch Logs and Filter and pattern syntax.

EC2 Virtual Machine Logs
Virtual machine logs that capture interesting operational and security events are collected by the AWS CloudWatch agent and stored in CloudWatch log groups named after the log file:

  • /var/log/aide: stores AIDE file integrity monitoring logs
  • /var/log/audit: stores virtual machine-level events captured by the auditd framework
  • /var/log/auth or /var/log/secure: store server authentication logs
  • /var/log/clamav: stores the output of ClamAV scans
  • /var/log/syslog: stores server syslogs (system events)

Individual log streams are named after each machine's private DNS address, which can be found in the EC2 console's "Details" tab. These logs are retained for 1 month; older logs can be found in an S3 bucket (details further below).

Web Server Logs
Apache and Nginx logs from multiple instances are stored in the /var/log/apache and /var/log/nginx log groups. These logs are also retained for a month and older logs archived in S3.

Container Logs
Docker container logs can be found in the containers log group. Log streams are named using each containers' unique ID. These can be identified by running docker ps on your EC2 instances. Container logs are stored for a year and are not archived in S3.

Database Logs
Amazon RDS publishes its logs to a group name starting with /aws/rds/instance. You can also access the same logs in the RDS console under each instance.

Other Log Types
cloudtrail-all-regions is a special log group, consolidating multi-region AWS CloudTrail (see below) audit logs into one stream. This stream is integrated with dynamic filters and CloudWatch alarms for compliance monitoring purposes.

patching contains logs of daily EC2 instance patching jobs managed by AWS SSM Patch Manager

The /vpc/vpc-* log groups contain VPC flow logs.

The ssm_sessions log group stores copies of recorded sessions from Systems Manager Session Manager, which provides an alternative to using SSH to connect to EC2 instances.

If you'd like to see other logs in the CloudWatch Logs interface, please create a support ticket.

CloudTrail Audit Log
AWS CloudTrail records changes to all AWS resources and their configurations. Besides the CloudWatch Log Group mentioned above, which is used for monitoring specific data events, long term storage of CloudTrail data is persisted to an encrypted S3 bucket named cloudtrail-all-regions-*.

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It works in tandem with CloudTrail, SecurityHub, and other supporting services.

Long Term Archival of Logs in S3 
Based on data retention requirements, logs might need to be stored for several years, however the cost of doing so in CloudWatch can add up significantly. Therefore, Amazon S3 is used to archive logs for a longer duration beyond the retention periods configured in CloudWatch Logs. This helps reduce storage-related costs. In addition, certain logs cannot be stored in CloudWatch and must be stored in S3 by default.

S3 bucket names are unique across all AWS accounts and, therefore, have a specific naming convention in your account using the following format: purpose-region-account-random_id. Here is a summary of some of the S3 buckets you might find in your account:

  • access-logs-*: provides detailed records for the requests that are made to other S3 buckets (reference)
  • archived-logs-*: long term storage of EC2 virtual machine logs
  • aws-config-*: required by AWS Config for storing its service logs
  • cloudtrail-all-regions-*: required by AWS CloudTrail for storing its service logs
  • load-balancer-logs-*: if you are using AWS Load Balancers, their traffic logs are stored in this bucket
  • macie-*: required by AWS Macie for storing its service logs
  • waf-*: if you are using the AWS Web Application Firewall (WAF) service, its logs are stored in this bucket

PHI Auditing Requirements
AWS does not provide automated capabilities to audit access to protected health information as required by HIPAA. The auditing and logging mechanisms described above capture information about potential access to PHI through the AWS console and APIs. However, it is a customer responsibility to implement functionality within their applications to record the viewing, modification, and destruction of PHI. This can be as simple as a implementing an "audit_trail" database table that records the details of the interaction. If a record containing PHI is deleted, the audit trail should preserve the original record.