Description:

AWS Directory Service provides a way to manage user identities and access to resources in the AWS cloud. It is important to monitor Directory Service to ensure that it is functioning properly and that there are no security vulnerabilities.

This policy ensures that Directory Service is monitored with CloudWatch logs. CloudWatch logs can be used to track events in Directory Service, such as user logins, changes to group memberships, and failed authentication attempts. This information can be used to identify security issues and to troubleshoot problems with Directory Service.

Rationale:

Monitoring Directory Service with CloudWatch logs can help to:

  • Identify security issues, such as unauthorized access to resources.
  • Troubleshoot problems with Directory Service.
  • Meet compliance requirements.

Impact:

If Directory Service is not monitored with CloudWatch logs, then it may be difficult to identify security issues or troubleshoot problems. This could lead to unauthorized access to resources, data breaches, or other security vulnerabilities.

Default Value:

AWS will recommend that Directory Service is monitored with CloudWatch logs. This means that all events in Directory Service will be logged to CloudWatch.

Pre-requisites:

  • Access to the AWS Directory Service console or the AWS CLI.
  • Knowledge of CloudWatch logs.

Remediation Steps:

  1. Go to the AWS Directory Service console or the AWS CLI.
  2. Select the Directory Service that you want to monitor.
  3. Click on the "Logging" tab.
  4. Check the "Enable CloudWatch Logs" checkbox.
  5. Click on the "Save" button.

Test Plan:

  1. Check the CloudWatch logs for the Directory Service to make sure that events are being logged.
  2. Try to access a resource in the Directory Service that you do not have permission to access.
  3. Check the CloudWatch logs to see if the access attempt is logged.

Implementation Plan:

  1. Follow the remediation steps to enable CloudWatch logging for the Directory Service.
  2. Test the logging to make sure that it is working correctly.

AWS CLI Process:

To enable CloudWatch logging for a Directory Service using the AWS CLI, you can use the following command:

aws directoryservice enable-cloudwatch-logs --directory-id <directory-id>

Using AWS GUI:

To enable CloudWatch logging for a Directory Service using the AWS GUI, you can follow these steps:

  1. Go to the AWS Directory Service console.
  2. Select the Directory Service that you want to enable CloudWatch logging for.
  3. Click on the "Logging" tab.
  4. Check the "Enable CloudWatch Logs" checkbox.
  5. Click on the "Save" button.

Backout Plan:

To backout the changes to the CloudWatch logging configuration, you can follow these steps:

  1. Go to the AWS Directory Service console or the AWS CLI.
  2. Select the Directory Service that you want to disable CloudWatch logging for.
  3. Click on the "Logging" tab.
  4. Uncheck the "Enable CloudWatch Logs" checkbox.
  5. Click on the "Save" button.

Note:

  • This policy is only applicable to Directory Services that are running in the AWS cloud.
  • If you are not sure whether a Directory Service is running in the AWS cloud, you can check the "Region" field in the AWS Directory Service console.

Reference:

  • AWS Directory Service documentation on CloudWatch logs: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_enable_log_forwarding.html

Section 2:

  • Tags: security, monitoring, directory service, cloudwatch logs
  • Keywords: directory service, cloudwatch logs, security, monitoring