Logging & Monitoring
TSC mapping: CC2 (Information Quality), CC4 (Monitoring Activities), CC7.1 (Vulnerability Detection), CC7.2 (Security Event Monitoring), CC7.3 (Incident Evaluation)
SOC 2 auditors look for three things in this area: that logs exist, that they are tamper-protected, and that someone is actually watching them. All three must be evidenced.
1. CloudTrail โ API Audit Trailโ
CloudTrail is the foundational audit log for all AWS API activity. It is the primary evidence source for CC2 (information quality) and CC7.2 (security event detection).
Enable a multi-region trail with log validationโ
# Create an S3 bucket for CloudTrail logs (in a dedicated logging account if possible)
aws s3api create-bucket \
--bucket my-org-cloudtrail-logs \
--region us-east-1
# Block all public access on the log bucket
aws s3api put-public-access-block \
--bucket my-org-cloudtrail-logs \
--public-access-block-configuration \
"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
# Create the trail
aws cloudtrail create-trail \
--name org-trail \
--s3-bucket-name my-org-cloudtrail-logs \
--is-multi-region-trail \
--enable-log-file-validation \
--include-global-service-events
# Start logging
aws cloudtrail start-logging --name org-trail
Enable S3 and Lambda data events (recommended for sensitive accounts)โ
aws cloudtrail put-event-selectors \
--trail-name org-trail \
--event-selectors '[
{
"ReadWriteType": "All",
"IncludeManagementEvents": true,
"DataResources": [
{"Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::"]},
{"Type": "AWS::Lambda::Function", "Values": ["arn:aws:lambda"]}
]
}
]'
Verify log file integrityโ
aws cloudtrail validate-logs \
--trail-arn arn:aws:cloudtrail:<region>:<account>:trail/org-trail \
--start-time 2024-01-01 \
--verbose
AWS Config rules:
| Rule | What it checks |
|---|---|
cloud-trail-enabled | CloudTrail is enabled |
multi-region-cloudtrail-enabled | At least one multi-region trail exists |
cloudtrail-log-file-validation-enabled | Log integrity validation is on |
cloudtrail-s3-dataevents-enabled | S3 data events are captured |
Reference: AWS CloudTrail documentation โ ยท Security Hub CloudTrail controls โ
2. AWS Config โ Continuous Configuration Complianceโ
AWS Config records every configuration change to AWS resources and evaluates them against compliance rules continuously. It is evidence for CC4 (monitoring) and CC8 (change management).
# Enable Config in a region (repeat per region)
aws configservice put-configuration-recorder \
--configuration-recorder \
"name=default,roleARN=arn:aws:iam::<account>:role/config-role,recordingGroup={allSupported=true,includeGlobalResourceTypes=true}"
aws configservice put-delivery-channel \
--delivery-channel \
"name=default,s3BucketName=my-org-config-logs,configSnapshotDeliveryProperties={deliveryFrequency=TwentyFour_Hours}"
aws configservice start-configuration-recorder --configuration-recorder-name default
Enable the SOC 2-relevant managed rules:
# IAM rules
aws configservice put-config-rule --config-rule '{"ConfigRuleName":"root-account-mfa-enabled","Source":{"Owner":"AWS","SourceIdentifier":"ROOT_ACCOUNT_MFA_ENABLED"}}'
aws configservice put-config-rule --config-rule '{"ConfigRuleName":"iam-root-access-key-check","Source":{"Owner":"AWS","SourceIdentifier":"IAM_ROOT_ACCESS_KEY_CHECK"}}'
aws configservice put-config-rule --config-rule '{"ConfigRuleName":"iam-user-mfa-enabled","Source":{"Owner":"AWS","SourceIdentifier":"IAM_USER_MFA_ENABLED"}}'
aws configservice put-config-rule --config-rule '{"ConfigRuleName":"access-keys-rotated","Source":{"Owner":"AWS","SourceIdentifier":"ACCESS_KEYS_ROTATED"},"InputParameters":"{\"maxAccessKeyAge\":\"90\"}"}'
# Logging rules
aws configservice put-config-rule --config-rule '{"ConfigRuleName":"multi-region-cloudtrail-enabled","Source":{"Owner":"AWS","SourceIdentifier":"MULTI_REGION_CLOUD_TRAIL_ENABLED"}}'
aws configservice put-config-rule --config-rule '{"ConfigRuleName":"vpc-flow-logs-enabled","Source":{"Owner":"AWS","SourceIdentifier":"VPC_FLOW_LOGS_ENABLED"}}'
aws configservice put-config-rule --config-rule '{"ConfigRuleName":"guardduty-enabled-centralized","Source":{"Owner":"AWS","SourceIdentifier":"GUARDDUTY_ENABLED_CENTRALIZED"}}'
Reference: AWS Config documentation โ ยท Managed rules list โ
3. Amazon GuardDuty โ Threat Detectionโ
GuardDuty provides continuous ML-based threat detection by analysing CloudTrail, VPC Flow Logs, DNS logs, and S3 data events. It produces findings that directly evidence CC7.2 (security event monitoring).
# Enable GuardDuty
aws guardduty create-detector --enable --finding-publishing-frequency FIFTEEN_MINUTES
# Enable S3 protection (detects malicious S3 API activity)
aws guardduty update-detector \
--detector-id <detector-id> \
--data-sources '{"S3Logs":{"Enable":true}}'
# Get your detector ID
aws guardduty list-detectors --query 'DetectorIds[0]' --output text
Route HIGH/CRITICAL findings to SNS for immediate alerting:
# Create an EventBridge rule for GuardDuty HIGH+ findings
aws events put-rule \
--name guardduty-high-findings \
--event-pattern '{
"source": ["aws.guardduty"],
"detail-type": ["GuardDuty Finding"],
"detail": {
"severity": [{ "numeric": [">=", 7] }]
}
}'
# Add SNS as target
aws events put-targets \
--rule guardduty-high-findings \
--targets '[{"Id":"1","Arn":"arn:aws:sns:<region>:<account>:security-alerts"}]'
AWS Config rule:
| Rule | What it checks |
|---|---|
guardduty-enabled-centralized | GuardDuty is enabled in all accounts |
Reference: Amazon GuardDuty documentation โ
4. AWS Security Hub โ Centralised Finding Aggregationโ
Security Hub aggregates findings from GuardDuty, Inspector, Macie, Config, and third-party tools. Enable the AWS Foundational Security Best Practices (FSBP) standard and CIS AWS Foundations Benchmark v3.0 โ both map directly to SOC 2 TSC criteria.
# Enable Security Hub
aws securityhub enable-security-hub \
--enable-default-standards \
--control-finding-generator SECURITY_CONTROL
# Check enabled standards
aws securityhub get-enabled-standards
# Enable CIS v3.0 (ARN may vary by region โ check the console for exact ARN)
aws securityhub batch-enable-standards \
--standards-subscription-requests \
'StandardsArn=arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/3.0.0'
Review finding severity distribution:
aws securityhub get-findings \
--filters '{"RecordState":[{"Value":"ACTIVE","Comparison":"EQUALS"}],"WorkflowStatus":[{"Value":"NEW","Comparison":"EQUALS"}]}' \
--query 'Findings[*].[Severity.Label,Title]' \
--output table | head -40
Reference: AWS Security Hub โ ยท FSBP Standard โ ยท CIS AWS Benchmark โ
5. VPC Flow Logsโ
Flow Logs capture IP-level traffic metadata for every network interface in your VPC. Required for CC7.2 evidence and GuardDuty threat detection.
# Enable Flow Logs for a VPC (to CloudWatch Logs)
aws ec2 create-flow-logs \
--resource-type VPC \
--resource-ids vpc-xxxxxxxxxxxxxxxxx \
--traffic-type ALL \
--log-destination-type cloud-watch-logs \
--log-group-name /aws/vpc/flowlogs \
--deliver-logs-permission-arn arn:aws:iam::<account>:role/flowlogs-role
AWS Config rule:
| Rule | What it checks |
|---|---|
vpc-flow-logs-enabled | Flow Logs are enabled for all VPCs |
Reference: VPC Flow Logs โ
6. CloudWatch Alarms โ CIS Benchmark Monitoring Controlsโ
The CIS AWS Foundations Benchmark v3.0 requires CloudWatch metric filters and alarms for 14 specific event patterns. These provide evidence for CC4 and CC7.2.
# Create a log group metric filter and alarm for unauthorized API calls
aws logs put-metric-filter \
--log-group-name cloudtrail-log-group \
--filter-name UnauthorizedAPICalls \
--filter-pattern '{ ($.errorCode = "AccessDenied") || ($.errorCode = "UnauthorizedOperation") }' \
--metric-transformations metricName=UnauthorizedAPICalls,metricNamespace=SOC2/CISAlarms,metricValue=1
aws cloudwatch put-metric-alarm \
--alarm-name UnauthorizedAPICalls \
--metric-name UnauthorizedAPICalls \
--namespace SOC2/CISAlarms \
--statistic Sum \
--period 300 \
--threshold 1 \
--comparison-operator GreaterThanOrEqualToThreshold \
--evaluation-periods 1 \
--alarm-actions arn:aws:sns:<region>:<account>:security-alerts
Required CIS v3.0 alarms (implement all 14):
| Alarm | Event pattern keyword |
|---|---|
| Unauthorized API calls | AccessDenied, UnauthorizedOperation |
| Console sign-in without MFA | ConsoleLogin without additionalEventData.MFAUsed = Yes |
| Root account usage | userIdentity.type = Root |
| IAM policy changes | PutUserPolicy, PutRolePolicy, CreatePolicy, etc. |
| CloudTrail configuration changes | StopLogging, DeleteTrail, UpdateTrail |
| Console authentication failures | ConsoleLogin + errorMessage = "Failed authentication" |
| Disabling or deleting CMK | DisableKey, ScheduleKeyDeletion |
| S3 bucket policy changes | PutBucketPolicy, DeleteBucketPolicy, etc. |
| Config configuration changes | StopConfigurationRecorder, DeleteDeliveryChannel |
| Security group changes | AuthorizeSecurityGroupIngress, RevokeSecurityGroupIngress, etc. |
| Network ACL changes | CreateNetworkAcl, DeleteNetworkAcl, etc. |
| Network gateway changes | CreateCustomerGateway, DeleteInternetGateway, etc. |
| Route table changes | CreateRoute, DeleteRoute, ReplaceRoute, etc. |
| VPC changes | CreateVpc, DeleteVpc, ModifyVpcAttribute, etc. |
Reference: CIS AWS Foundations Benchmark v3 in Security Hub โ ยท Amazon CloudWatch documentation โ
7. Amazon Macie โ Sensitive Data Discoveryโ
Macie automatically discovers and protects sensitive data (PII, credentials, financial data) stored in S3. Enables evidence for CC6.7 and CC7.2.
# Enable Macie
aws macie2 enable-macie
# Create a classification job for all S3 buckets
aws macie2 create-classification-job \
--job-type ONE_TIME \
--name soc2-data-discovery \
--s3-job-definition '{"bucketDefinitions":[{"accountId":"<account>","buckets":["*"]}]}'
Reference: Amazon Macie documentation โ
SOC 2 Evidence for Logging & Monitoringโ
| Evidence item | How to collect |
|---|---|
| CloudTrail trail configuration | aws cloudtrail describe-trails |
| CloudTrail log validation status | aws cloudtrail get-trail-status |
| Config rules compliance summary | AWS Config console โ Compliance โ By rule |
| GuardDuty findings list (past 90 days) | aws guardduty list-findings |
| Security Hub summary report | Security Hub console โ Summary โ Export |
| CloudWatch alarm configurations | aws cloudwatch describe-alarms |
| VPC Flow Log configuration | aws ec2 describe-flow-logs |
| Macie findings | aws macie2 list-findings |