Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements. 

Priority: High   

Category:  Situational Awareness 

Services Associated with AWS:   

  • AWS Identity and Access Management (IAM), AWS CloudTrail, AWS CloudWatch
  • AWS Identity and Access Management (IAM), AWS CloudTrail, AWS CloudWatch, AWS Key Management Service (KMS), 
  • AWS CloudTrail, AWS CloudWatch 

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screenshot of SIEM settings

Possible Technology Considerations : 

  • Centralized Log Management
  • Security Information & Event Management (SIEM)

What needs to be answered :  

Does the system protect audit information and audit tools from unauthorized access, modification, and deletion? 

  • Restrict Access to Audit Information and Logging Tools
    Description: This check ensures that audit information and audit logging tools are protected from unauthorized access, modification, and deletion. Access to audit information is restricted to authorized individuals who require it for auditing and monitoring purposes. This includes implementing strong access controls, such as role-based access control (RBAC) and least privilege principles, to ensure that only authorized personnel can view, modify, or delete audit records. Audit logging tools, including software and devices used for auditing and logging activities, are also protected from unauthorized access and execution.
  • Implement Technical Safeguards for Audit Information Protection
    Description: This check verifies that organizations have implemented technical safeguards to protect audit information from unauthorized access, modification, and deletion. This includes employing encryption mechanisms to secure audit records in transit and at rest, implementing strong authentication and access controls to prevent unauthorized access to audit logs and tools, and implementing tamper-evident measures to detect and prevent unauthorized modifications. Additionally, organizations ensure that audit logs are stored in secure and resilient storage systems to prevent accidental or intentional deletion or tampering.
  • Regularly Monitor and Review Audit Logs and Tools
    Description: This check emphasizes the importance of regularly monitoring and reviewing audit logs and tools to detect any unauthorized access, modification, or deletion attempts. Organizations establish processes and procedures to conduct periodic audits of audit logs and tools, ensuring that any suspicious activities or anomalies are promptly identified and investigated. Regular review of audit logs helps to maintain the integrity and availability of audit information and ensures that any unauthorized actions are detected and mitigated in a timely manner.

More Details:   

Monitoring systems and tools are restricted to IT support staff and cannot be used by general employees.