AWS Cloud Logging & Monitoring

Comprehensive Security Monitoring for security-studies.net

AWS CloudTrail, CloudWatch, S3, SNS • Real-time Security Alerts • Status: Active Monitoring

Project Overview

This project implements a comprehensive cloud security monitoring solution for the AWS infrastructure hosting security-studies.net. The implementation demonstrates proficiency in AWS security services while practically enhancing the security posture through robust logging, monitoring, and alerting capabilities.

Key Services Implemented

AWS CloudTrail: API activity audit logging
Amazon CloudWatch: Log aggregation and metrics
Amazon S3: Secure log archival with encryption
AWS SNS: Real-time alert notifications

Security Monitoring Capabilities

Root user activity detection
Unauthorized API call monitoring
Security group change alerts
Failed login attempt tracking

Implementation Architecture

The monitoring architecture follows AWS security best practices, implementing defense-in-depth through multiple layers of logging and alerting. The solution captures all API activity via CloudTrail, processes events through CloudWatch, and delivers real-time notifications through SNS.

CloudTrail Configuration

Configured AWS CloudTrail to capture all management events across all regions, with logs delivered to a dedicated S3 bucket. Key security enhancements include:

Log file validation enabled for integrity verification
Server-side encryption with AWS KMS using custom key
S3 bucket policy restricting access to CloudTrail service principal only
Block All Public Access enabled on log storage bucket

CloudWatch Integration

Integrated CloudTrail with CloudWatch Logs for real-time monitoring and alerting. Created custom metric filters to detect security-relevant events:

Root User Activity: Monitors any API calls made by the root account, triggering immediate alerts as root usage should be extremely rare.

Unauthorized API Calls: Detects AccessDenied and UnauthorizedOperation errors, indicating potential privilege escalation attempts.

Security Group Changes: Monitors modifications to security groups and NACLs, critical for network security integrity.

Failed Console Logins: Tracks multiple failed authentication attempts, indicating potential brute force attacks.

CloudWatch alarms configuration showing all four security monitoring alarms — Configured CloudWatch alarms for comprehensive security monitoring

Testing & Validation

Comprehensive testing was conducted to validate each monitoring component. All alarms were systematically triggered through controlled actions to ensure proper detection and notification delivery.

Test Scenarios

Root User Test: Created S3 folder using root account → Alert triggered immediately ✓
Unauthorized API Test: Attempted bucket creation with limited IAM user → AccessDenied event detected ✓
Security Group Test: Modified EC2 security group inbound rules → Configuration change alert sent ✓
Failed Login Test: Multiple incorrect password attempts → Brute force detection activated ✓

Alert Delivery

SNS topic configured with email subscription for immediate notification delivery. All test scenarios successfully triggered CloudWatch alarms and delivered notifications within minutes.

Response Time: Average 2-3 minutes from event to email notification

Email alert notification received for security group changes with detailed event information — Actual email alert received showing security monitoring in action

Technical Implementation Details

Security Best Practices

Principle of Least Privilege: IAM roles with minimal required permissions
Encryption at Rest: KMS encryption for all log data
Data Integrity: CloudTrail log file validation enabled
Access Control: Restrictive S3 bucket policies

Monitoring Capabilities

Real-time Detection: CloudWatch metric filters for immediate response
Historical Analysis: S3 log retention for compliance and forensics
Dashboard Visibility: Custom CloudWatch dashboards
Multi-channel Alerts: SNS integration for flexible notification

Cost Optimization

Implementation leverages AWS free tier wherever possible. CloudTrail management events, S3 storage for the first copy of logs, and basic CloudWatch metrics are covered under free tier limits, making this a cost-effective security enhancement for small to medium deployments.

Results & Security Impact

100% Test Success Rate - All monitoring components validated
4 Critical Alerts Active - Comprehensive security coverage
24/7 Continuous Monitoring - Real-time threat detection

The implementation significantly enhances the security posture of security-studies.net by providing comprehensive visibility into AWS account activity. The monitoring system enables rapid detection and response to potential security incidents, supporting both operational security and compliance requirements.

Key Takeaways

AWS Service Integration: The project demonstrated the power of AWS service integration, where CloudTrail, CloudWatch, S3, and SNS work seamlessly together to create a comprehensive monitoring solution.

Security by Design: Implementing security monitoring from the ground up is more effective than retrofitting. The principle of least privilege and defense-in-depth were critical to the solution's effectiveness.

Testing Importance: Systematic testing of each alert mechanism was crucial to ensure reliability. Real-world validation prevents false confidence in untested monitoring systems.

Future Enhancements: Additional opportunities include AWS Config for compliance monitoring, GuardDuty for machine learning-based threat detection, and custom Lambda functions for automated incident response.

← Back to Projects