Profile Applicability:

  • Level 1

Description:

It is crucial to monitor CloudWatch logs for any potential secrets, such as AWS credentials, passwords, or API keys, that may inadvertently appear in log entries. These secrets should be removed or managed properly to avoid unauthorized access to AWS resources. This check helps identify and prevent the accidental exposure of sensitive information in your CloudWatch logs.

Rationale:

Secrets, if exposed in logs, can provide unauthorized individuals with access to AWS resources, leading to security risks. Identifying and removing secrets from logs helps ensure sensitive information is protected and prevents potential breaches or misuse of access credentials.

Impact:

  • Positive Impact: Protects sensitive information from being exposed in logs, reducing the risk of unauthorized access and security breaches.

  • Negative Impact: May require a review of existing logs to identify any sensitive information, which could lead to some operational overhead.

Default Value:

By default, AWS does not prevent secrets from being logged in CloudWatch logs. This check is necessary to ensure no secrets are exposed.

Pre-Requisite:

  • Permissions Required: IAM permissions to read CloudWatch logs and perform log scanning.

  • AWS Services: CloudWatch must be enabled, and logs must be collected for relevant resources.

  • Tools Required: Optionally, you can use open-source tools such as TruffleHog or AWS services like Amazon Macie for detecting secrets in logs.

Remediation:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the CloudWatch Console at https://console.aws.amazon.com/cloudwatch/.

  3. In the left navigation pane, click on Logs.

                     

  1. Under Log Groups, select the log group you want to inspect for secrets.

                 

  1. Check the log entries for any sensitive data such as:

    • AWS Access Keys

    • API Keys

    • Password

  2. If any secrets are found, modify the application or logging configuration to ensure secrets are not logged in the future.

  3. Delete or mask any log entries that contain sensitive information.

Using AWS CLI:

Use the following CLI command to fetch logs from CloudWatch:

aws logs filter-log-events --log-group-name <log-group-name> --filter-pattern "accessKeyId"

  1. Replace accessKeyId with the specific keywords related to sensitive information (e.g., apiKeypassword).

  2. Review the results. If secrets are found, take the necessary steps to secure them and ensure they are not logged.

  3. If secrets are found, modify the log generation logic to mask sensitive information.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to the CloudWatch Console.

                             

  1. In the left navigation panel, click Logs.

                             

  1. Select the Log Group to review the logs for secrets.

                           

  1. Check for any sensitive information such as AWS credentials or API keys in the logs.

  2. If any secrets are found, follow these steps:

    • Mask or delete the sensitive information from logs.

    • Review and update application logging settings to ensure no sensitive information is logged in the future.

    • Implement environment variables or secure storage solutions (e.g., AWS Secrets Manager) for sensitive data.

Using AWS CLI:

Run the following CLI command to scan CloudWatch logs for potential secrets:

aws logs filter-log-events --log-group-name <log-group-name> --filter-pattern "(accessKeyId|secretKey|password)"

  1. Review any returned logs for sensitive data.

  2. Mask or delete any sensitive information found.

  3. Modify the log configuration to avoid logging secrets in the future.

Backout Plan:

Using AWS Console:

  1. Access CloudWatch Logs:

    • Sign in to the AWS Management Console.

    • Navigate to CloudWatch > Logs > Log Groups.

  2. Search for Secrets:

    • Open the log group where you suspect secrets might exist.

    • Use the Search Log Group feature with keywords like:

      • Password

      • Secret

      • Key

      • Token

      • API Key

  3. Analyze Results:

    • Review the matched log events for any sensitive data or unintended exposure of secrets.

Using AWS CLI:

  1. Export and Filter Logs:

Retrieve logs for a specific log group using the following command:
aws logs filter-log-events --log-group-name <log-group-name> --filter-pattern <pattern>

  • Replace <pattern> with keywords like "password""secret""key", or "token".

References:

CIS Controls Mapping:

Control Version

Control ID

Control Description

v8

8.5

Collect detailed audit logs and configure alerts for anomalies

v7

6.3

Enable system logging to ensure sensitive data is tracked and monitored