Synapse Logging and Monitoring
Log management can benefit an organization in many ways. First, it helps to ensure that computer security records are stored in sufficient detail for an appropriate period. Periodic log reviews and analysis are beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems shortly after they have occurred and provide information helpful in resolving such problems. Logs can also help perform auditing and forensic analysis, supporting the organization’s internal investigations, establishing baselines, and identifying operational trends and long-term problems. Besides the inherent benefits of log management, several laws and regulations further compel organizations to store and review certain logs. The following is a listing of key regulations, standards, and guidelines that help define organizations’ needs for log management:
Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA includes security standards for specific health information. NIST SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, lists HIPAA-related log management needs.13 Section 4.1 of NIST SP 800-66 describes the need to review audit logs and access reports regularly. Also, Section 4.22 specifies that documentation of actions and activities needs to be retained for at least six years.
Federal Information Security Management Act of 2002 (FISMA). FISMA emphasizes the need for each Federal agency to develop, document, and implement an organization-wide program to provide information security for the information systems that support its operations and assets. NIST SP 800-53, Recommended Security Controls for Federal Information Systems, was developed to support FISMA.11 NIST SP 800-53 is the primary source of recommended security controls for Federal agencies. It describes several controls related to log management, including the generation, review, protection, and retention of audit records and the actions to be taken because of audit failure.
How is Logging and Monitoring Implemented in Synapse
Amazon GuardDuty is a security monitoring service that analyzes and processes Foundational data sources, such as AWS CloudTrail management events, AWS CloudTrail event logs, VPC flow logs, and DNS logs. It also processes features such as Kubernetes audit logs, RDS login activity, S3 logs, EBS volumes, Runtime monitoring, and Lambda network activity logs. In addition, it uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected, potentially unauthorized, and malicious activity within your AWS environment. This can include issues like escalation of privileges, use of exposed credentials, or communication with malicious IP addresses, domains, presence of malware on your Amazon EC2 instances and container workloads, or discovery of unusual patterns of login events on your database.
GuardDuty currently generates findings for the following resource types:
EC2 finding types
IAM finding types
Kubernetes audit logs finding types
EKS Runtime Monitoring finding types
Lambda Protection finding types
Malware Protection finding types
RDS Protection finding types
S3 finding types
See Finding types - Amazon GuardDuty for more details (Resourse, Data / Source, and Severity).