Last active
July 6, 2025 16:35
-
-
Save mfakbar127/dc1e49a6ba3dbba71f9e3622b91ce377 to your computer and use it in GitHub Desktop.
AWS Log Sources Security Summary
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Log Source | Security Value | Primary Use Cases | Detection Strengths | Limitations | Cost Impact | |
|---|---|---|---|---|---|---|
| CloudTrail | ★★★★★ | API auditing, compliance, incident response | Privilege escalation, account takeover, policy changes | No data plane events, potential gaps in coverage | High volume, moderate cost | |
| VPC Flow Logs | ★★★★ | Network monitoring, lateral movement detection | Data exfiltration, C2 comms, network reconnaissance | Metadata only, no packet inspection | Very high volume, high cost | |
| GuardDuty | ★★★★ | Threat detection, malware identification | Known attack patterns, threat intelligence integration | Limited customization, false positives | Fixed pricing, cost-effective | |
| Config | ★★★ | Configuration compliance, change tracking | Misconfigurations, policy violations, resource drift | Not real-time, config-focused only | Low volume, low cost | |
| ALB/ELB Logs | ★★★★ | Web application security, DDoS detection | SQL injection, XSS, application attacks | Only web traffic, requires parsing | High volume, moderate cost | |
| WAF Logs | ★★★ | Web application firewall events | Blocked attacks, web exploit attempts | Only filtered traffic, limited context | Low volume, low cost | |
| DNS Logs | ★★★ | DNS tunneling, malware C2 | Domain generation algorithms, DNS exfiltration | Route 53 resolver logs only | Moderate volume, low cost | |
| S3 Access Logs | ★★★ | Data access monitoring, compliance | Unauthorized access, data exfiltration | Not real-time, high volume | Very high volume, high cost | |
| EventBridge | ★★ | Event-driven automation, service integration | Service interactions, workflow monitoring | Not a primary security log source | Low volume, low cost | |
| Systems Manager | ★★ | Instance management, patch compliance | Compliance violations, unauthorized changes | Limited to managed instances | Low volume, low cost |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment