Why logging is the foundation of cloud security, the seven distinct log sources every cloud workload generates, and how to build a centralised logging architecture that gives you the visibility to detect and respond to incidents.
Sign in to mark this article as read and track your progress.
You cannot investigate what you cannot see. In cloud environments, where no physical access is possible and resources are ephemeral, logs are the primary — and often only — source of forensic evidence. Before you deploy any workload, your logging architecture should already be running.
A common mistake is treating logging as a post-deployment optimisation. In practice, an incident that occurs before logging is configured may leave no recoverable evidence. Enable logging on day one.
Every cloud workload generates logs across seven distinct categories:
| # | Log Source | What It Records | AWS Service | Azure Service |
|---|---|---|---|---|
| 1 | Management/Control Plane | API calls to create, modify, delete resources | CloudTrail | Activity Log |
| 2 | Data Plane | Read/write operations on data services | S3 Access Logs, CloudTrail data events | Storage Analytics Logs |
| 3 | Network Flow | IP traffic between resources | VPC Flow Logs | NSG Flow Logs |
| 4 | Application/Service | Application errors, performance, custom events | CloudWatch Logs | Application Insights |
| 5 | Authentication | Login events, MFA, token issuance | CloudTrail (IAM events), Cognito logs | Azure AD Sign-in Logs |
| 6 | Change/Configuration | Resource configuration changes over time | AWS Config | Azure Policy / Resource Graph |
| 7 | Billing/Usage | Service consumption and cost anomalies | Cost and Usage Report | Azure Cost Management |
CloudTrail (Management Plane): Records every API call made against your AWS account — who made it, from where, when, on what resource, and what the result was. This is the primary forensic data source for any AWS incident. It must be enabled in all regions, including opt-in regions, and the log bucket must be protected with S3 Object Lock.
VPC Flow Logs: Records metadata (not packet content) for every network flow in your VPC: source IP, destination IP, ports, protocol, bytes transferred, and accept/reject decision. Essential for detecting lateral movement, data exfiltration, and C2 communication.
AWS Config: Continuously records the configuration of your AWS resources and evaluates them against compliance rules. If an S3 bucket is accidentally made public, Config records the before/after state and can trigger automated remediation.
Centralising logs from all accounts, regions, and services into a single location gives security teams unified visibility and prevents attackers from covering their tracks by deleting logs in a compromised account.
Account A CloudTrail → S3 Log Archive Bucket (central, dedicated account)
Account B CloudTrail ↗ ↓
Account C CloudTrail ↗ Amazon Athena (SQL queries over logs)
↓
VPC Flow Logs → CloudWatch Logs → Kinesis Firehose → OpenSearch / SIEM
↓
Application Logs → CloudWatch Logs → GuardDuty findings
Not all log events are equal. High-priority alerts to configure from day one:
| Event | Log Source | Risk |
|---|---|---|
root account login | CloudTrail | Root should never be used operationally |
DeleteTrail or StopLogging | CloudTrail | Attacker covering tracks |
CreateUser + AttachUserPolicy rapid sequence | CloudTrail | New admin account creation |
Mass GetObject from S3 bucket | S3 Access Logs | Data exfiltration |
| SSH from new source IP | VPC Flow Logs | Potential unauthorised access |
GetSecretValue from Lambda with no recent invocations | CloudTrail | Credential harvesting |
Security group modified to allow 0.0.0.0/0:22 | Config | SSH exposure |
Logging is not a compliance checkbox — it is the foundation of cloud security operations. The seven log sources together give you visibility from the API layer to the network layer to the data layer. Centralise them, protect them with Object Lock, retain them for five years, and alert on high-priority events from day one.