Full Report
Getting the most value out of your cloud logs
Analysis Summary
# Best Practices: Cloud Logging and Detection
## Overview
These practices focus on establishing a robust cloud detection and response program by effectively categorizing, prioritizing, and configuring the collection of essential cloud logs. Effective logging is crucial for identifying and mitigating attacks, particularly those targeting the cloud control plane, mitigating risks highlighted by incidents like major signing key compromises.
## Key Recommendations
### Immediate Actions
1. **Prioritize Control Plane Logs:** Immediately focus on enabling and centralizing logs related to the cloud **Control Plane** (management/identity/resource activities), as these offer the broadest coverage across the cyber kill chain.
2. **Validate Default Log Configuration:** Verify that basic management/control plane logs (e.g., AWS CloudTrail management events, Azure Subscription Activity Logs) are enabled by default across all relevant cloud accounts/subscriptions.
3. **Address Gaps in Error Logging (Google Workspace):** For Google Workspace, recognize that non-login log types generally omit error logs, and plan supplementary detection methods to monitor failed identity modifications.
### Short-term Improvements (1-3 months)
1. **Implement Organization-wide Logging (AWS):** Deploy AWS Organization Trails to ensure centralized and comprehensive logging across all existing and newly created AWS accounts within the organization.
2. **Centralize Log Ingestion:** Establish a consistent mechanism to stream all relevant cloud logs (especially Google Workspace logs) into a single, centralized ingestion point (e.g., a central GCP project or SIEM) for unified security analysis.
3. **Extend Log Retention:** Extend the default retention periods for critical logs (like Azure Subscription Activity Logs, which default to 30 days) to meet organizational compliance and investigation needs (e.g., aiming for 90+ days where possible).
### Long-term Strategy (3+ months)
1. **Categorize and Map Logs:** Adopt a cloud logging framework that categorizes logs by security use case (Identity, Data, Network, Compute, Control Plane) to systematically assess and fill coverage gaps.
2. **Map to Threat Models:** Map collected log sources to the MITRE ATT&CK framework to assess current detection coverage maturity against known threat techniques.
3. **Integrate Detection Capabilities:** Combine log-based detection methods with runtime security detectors to create a more comprehensive and resilient threat detection posture.
4. **Continuously Evaluate Coverage:** Establish a process to continuously assess logging practices to ensure new cloud resources and services are adequately monitored as the cloud environment evolves.
## Implementation Guidance
### For Small Organizations
- **Leverage Free Tiers:** Utilize any "first trail is free" options (like AWS CloudTrail) to the maximum extent to gather essential management events without incurring immediate costs.
- **Focus on Control Plane:** Strictly prioritize collecting only the Control Plane/Management logs initially due to volume and cost concerns for other log types.
### For Medium Organizations
- **Standardize Trails (AWS):** Deploy AWS Organization Trails to enforce consistent, centralized logging across multiple AWS accounts, preventing visibility loss in new accounts.
- **Central Stream:** Implement free log streaming solutions (like streaming Google Workspace logs to GCP) to ensure logs are consumable in a single SecOps location without significant initial infrastructure investment.
### For Large Enterprises
- **Automated Trail Deployment:** Use Infrastructure as Code (IaC) or cloud governance tools to mandate the creation of Organization Trails or equivalent centralized logging mechanisms across all organizational units/subscriptions.
- **Budget Optimization:** Develop strategies to optimize log configuration based on the framework to ensure collection of high-value logs without incurring excessive costs from high-volume, low-yield log sources.
- **Formal Coverage Assessment:** Integrate MITRE ATT&CK mapping into the standard Security Review process for all new cloud deployments.
## Configuration Examples
| Cloud Provider | Log Type | Best Practice Configuration/Action |
| :--- | :--- | :--- |
| **AWS** | Management Events | Create an **Organization Trail** targeting all accounts to ensure centralized logging and comprehensive retention. |
| **Azure** | Audit/Sign-in Logs | Extend the default 30-day retention period for Subscription Activity Logs and Entra Audit/Sign-in logs for deeper investigation capability. |
| **Google Workspace** | Admin Activity Logs | **Stream Google Workspace logs** into the organization's central GCP logging plane for unified security visibility. |
## Compliance Alignment
- **NIST CSF:** Supports the **Detect** function by providing the necessary visibility into system activities (Logging and Monitoring).
- **ISO 27001:** Directly supports Annex A controls related to monitoring, logging, and change management (Control A.12.4).
- **CIS Benchmarks:** Adherence ensures that foundational logging controls are configured across IaaS/SaaS environments for visibility and accountability.
## Common Pitfalls to Avoid
- **Ignoring New Accounts:** Failing to use centralized mechanisms (like AWS Organization Trails) which allows new cloud accounts to be provisioned without active security logging enabled.
- **Relying Solely on Defaults:** Accepting default log retention periods (often short) which leads to an inability to investigate long-running threats or meet compliance mandates.
- **Missing Error Logs:** If using Google Workspace logs, failing to account for the omission of error entries in non-Login log types, crippling the ability to detect failed unauthorized modifications.
- **Incomplete Coverage:** Focusing only on one log category (e.g., Compute) while neglecting the Control Plane, which provides the earliest indicators of compromise.
## Resources
- **Cloud Logging Framework:** Implement a control-based categorization (Identity, Data, Network, Compute, Control Plane) to structure log collection needs.
- **Threat Modeling Tool:** Use the MITRE ATT&CK framework to map log sources against known attacker techniques to assess detection effectiveness.
- **Cloud Provider Documentation:** Consult specific provider documentation for configuring Organization/Aggregation trails and ensuring retention policies are correctly applied.