EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
cloud-securityCloudTrailVPC-Flow-LogsAWS-Config

Cloud Logging — The Seven Log Sources & Centralised Architecture

Why logging is the foundation of cloud security, the seven distinct log sources every cloud workload generates, and how to build a centralised logging architecture that gives you the visibility to detect and respond to incidents.

Ashish Revar3 July 202613 min read1 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Reference material

eBook
Cloud Security — eBook
v2026
Open resource
Cheatsheet
Cloud Security — Cheatsheet
v2026
Open resource
MCQ Bank
Cloud Security — MCQ Bank
v2026
Open resource
Question Bank
Cloud Security — Question Bank
v2026
Open resource

External references

AWS CloudTrail User Guide

Complete AWS CloudTrail documentation covering trail configuration, event types, and log validation.

blog
AWS CloudTrail User Guide

Complete AWS CloudTrail documentation covering trail configuration, event types, and log validation.

blog
AWS VPC Flow Logs Documentation

VPC Flow Logs setup, log record format, and analysis patterns for network security monitoring.

blog
AWS VPC Flow Logs Documentation

VPC Flow Logs setup, log record format, and analysis patterns for network security monitoring.

blog
Querying CloudTrail Logs with Amazon Athena

Step-by-step guide for creating an Athena table over CloudTrail logs and running forensic queries.

blog
Querying CloudTrail Logs with Amazon Athena

Step-by-step guide for creating an Athena table over CloudTrail logs and running forensic queries.

blog
AWS Security Hub — Consolidated Findings

AWS Security Hub documentation for aggregating findings from GuardDuty, Inspector, Config, and Macie.

blog
AWS Security Hub — Consolidated Findings

AWS Security Hub documentation for aggregating findings from GuardDuty, Inspector, Config, and Macie.

blog
More articlesTest your knowledge

Why Logging Comes First

You cannot investigate what you cannot see. In cloud environments, where no physical access is possible and resources are ephemeral, logs are the primary — and often only — source of forensic evidence. Before you deploy any workload, your logging architecture should already be running.

A common mistake is treating logging as a post-deployment optimisation. In practice, an incident that occurs before logging is configured may leave no recoverable evidence. Enable logging on day one.

The Seven Cloud Log Sources

Every cloud workload generates logs across seven distinct categories:

#Log SourceWhat It RecordsAWS ServiceAzure Service
1Management/Control PlaneAPI calls to create, modify, delete resourcesCloudTrailActivity Log
2Data PlaneRead/write operations on data servicesS3 Access Logs, CloudTrail data eventsStorage Analytics Logs
3Network FlowIP traffic between resourcesVPC Flow LogsNSG Flow Logs
4Application/ServiceApplication errors, performance, custom eventsCloudWatch LogsApplication Insights
5AuthenticationLogin events, MFA, token issuanceCloudTrail (IAM events), Cognito logsAzure AD Sign-in Logs
6Change/ConfigurationResource configuration changes over timeAWS ConfigAzure Policy / Resource Graph
7Billing/UsageService consumption and cost anomaliesCost and Usage ReportAzure Cost Management

The Three Most Critical Logs for Security

CloudTrail (Management Plane): Records every API call made against your AWS account — who made it, from where, when, on what resource, and what the result was. This is the primary forensic data source for any AWS incident. It must be enabled in all regions, including opt-in regions, and the log bucket must be protected with S3 Object Lock.

VPC Flow Logs: Records metadata (not packet content) for every network flow in your VPC: source IP, destination IP, ports, protocol, bytes transferred, and accept/reject decision. Essential for detecting lateral movement, data exfiltration, and C2 communication.

AWS Config: Continuously records the configuration of your AWS resources and evaluates them against compliance rules. If an S3 bucket is accidentally made public, Config records the before/after state and can trigger automated remediation.

Centralised Logging Architecture

Centralising logs from all accounts, regions, and services into a single location gives security teams unified visibility and prevents attackers from covering their tracks by deleting logs in a compromised account.

Reference Architecture

Account A CloudTrail → S3 Log Archive Bucket (central, dedicated account)
Account B CloudTrail ↗                          ↓
Account C CloudTrail ↗               Amazon Athena (SQL queries over logs)
                                               ↓
VPC Flow Logs → CloudWatch Logs → Kinesis Firehose → OpenSearch / SIEM
                                               ↓
Application Logs → CloudWatch Logs →      GuardDuty findings

Key Design Principles

  1. Dedicated logging account: Keep logs in a separate AWS account with restricted access. Compromising the production account should not give access to logs.
  2. Object Lock on log buckets: WORM (Write Once, Read Many) protection prevents even account administrators from deleting log files — critical for tamper-evident logging.
  3. Cross-region log aggregation: CloudTrail must be enabled in all regions, including regions you do not actively use (attackers may provision resources in unused regions).
  4. Log integrity validation: CloudTrail includes a hash-based validation mechanism that detects any modification or deletion of log files after they are written.
  5. Retention policy: CERT-In 2022 mandates 5-year log retention. RBI IT Framework requires similar periods for financial institutions. Set S3 lifecycle policies to transition logs from S3 Standard to S3 Glacier for cost-efficient long-term retention.

What to Alert On

Not all log events are equal. High-priority alerts to configure from day one:

EventLog SourceRisk
root account loginCloudTrailRoot should never be used operationally
DeleteTrail or StopLoggingCloudTrailAttacker covering tracks
CreateUser + AttachUserPolicy rapid sequenceCloudTrailNew admin account creation
Mass GetObject from S3 bucketS3 Access LogsData exfiltration
SSH from new source IPVPC Flow LogsPotential unauthorised access
GetSecretValue from Lambda with no recent invocationsCloudTrailCredential harvesting
Security group modified to allow 0.0.0.0/0:22ConfigSSH exposure

Key Takeaway

Logging is not a compliance checkbox — it is the foundation of cloud security operations. The seven log sources together give you visibility from the API layer to the network layer to the data layer. Centralise them, protect them with Object Lock, retain them for five years, and alert on high-priority events from day one.