Audit logging process failures include software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. This requirement applies to each audit record data storage repository (i.e., distinct system component where audit records are stored), the total audit record storage capacity of organizations (i.e., all audit record data storage repositories combined), or both. 

Priority: High   

Category:  Situational Awareness 

Services Associated with AWS:   

  • AWS CloudTrail, AWS Identity and Access Management (IAM), AWS Security Hub

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screen shot of configuration settings
  • Technical: screen shot of logs from SIEM

Possible Technology Considerations : 

  • Centralized Log Management
  • Security Information & Event Management (SIEM)

What needs to be answered :  

Will the system alert employees with security responsibilities in the event of an audit processing failure? Is there real-time alert when any defined event occurs?

  • Implement Alerting for Audit Logging Process Failures
    Description: This check ensures that organizations have implemented alerting mechanisms to detect and notify relevant personnel in the event of an audit logging process failure. Audit logging process failures can include software or hardware errors, failures in audit record capturing mechanisms, and reaching or exceeding the storage capacity of audit record data storage repositories. The alerting system promptly notifies designated individuals or teams responsible for addressing and resolving the failures to minimize the impact on audit logging and ensure the continuity of monitoring and compliance efforts.
  • Regularly Test Alerting Mechanisms
    Description: This check verifies that organizations regularly test the alerting mechanisms for audit logging process failures to ensure their effectiveness. Testing includes simulating various failure scenarios and validating that the alerting system successfully detects and notifies the appropriate personnel. Regular testing helps identify and address any issues or gaps in the alerting process, ensuring that failures are promptly identified and remediated.
  • Document and Maintain Audit Logging Alerting Procedures
    Description: This check ensures that organizations document and maintain procedures for handling audit logging process failures and the associated alerting mechanisms. The documentation includes details of the alerting process, escalation procedures, designated personnel responsible for responding to alerts, and any required corrective actions. By maintaining up-to-date procedures, organizations can ensure a timely and effective response to audit logging process failures.

More Details: 

Alerts are generated to IT support staff in the event of audit process failure.