party/middleware agents collect log file information. Log transport When log files are centralized, transfer them to the central location in a secure, reliable, and timely fashion. Log storage Centralize log files from multiple instances to facilitate retention policies, as well as analysis and correlation. Log taxonomy Present different categories of log files in a format suitable for analysis. Log analysis/ correlation Log files provide security intelligence after you analyze them and correlate events in them. You can analyze logs in real time, or at scheduled intervals. Log protection/ security Log files are sensitive. Protect them through network control, identity and access management, encryption, data integrity authentication, and tamper-proof time- stamping. Table 24: Log File Considerations You might have multiple sources of security logs. Various network components such as firewalls, IDP, DLP, AV systems, the operating system, platforms, and applications will generate log files. Many will be related to security, and those need to be part of the log file strategy. Others, which are not related to security, are better excluded from the strategy. Logs should include all user activities, exceptions, and security events, and you should keep them for a predetermined time for future investigations. To determine which log files to include, answer the following questions: • Who are the users of the cloud systems? How do they register, how do they authenticate, how are they authorized to access resources? • Which applications access cloud systems? How do they get credentials, how do they authenticate, and how they are authorized for such access?

Amazon Web Services – AWS Security Best Practices August 2016 Page 69 of 74 • Which users have privileged access (administrative level access) to AWS infrastructure, operating systems, and applications? How do they authenticate, how are they authorized for such access? Many services provide built-in access control audit trails (for example, Amazon S3 and Amazon EMR provide such logs) but in some cases, your business requirements for logging might be higher than what’s available from the native service log. In such cases, consider using a privilege escalation gateway to manage access control logs and authorization. When you use a privilege escalation gateway, you centralize all access to the system via a single (clustered) gateway. Instead of making direct calls to the AWS infrastructure, your operating systems or applications, all requests are performed by proxy systems that act as trusted intermediaries to the infrastructure. Often such systems are required to provide or do the following: • Automated password management for privileged access: Privileged access control systems can rotate passwords and credentials based on given policies automatically using built-in connectors for Microsoft Active Directory, UNIX, LDAP, MYSQL, etc.