Profile Applicability:

  • Level 1

Description:

Amazon Directory Service allows you to set up and manage directories in the cloud, enabling AWS resources to authenticate users and access applications. Monitoring Directory Service using Amazon CloudWatch Logs allows for the collection, visualization, and analysis of log data generated by the directory, which is essential for troubleshooting and tracking security events. Enabling CloudWatch Logs for Directory Service provides visibility into the health and performance of the directory, helping to ensure that issues are identified and addressed proactively.

This SOP ensures that Amazon Directory Service is configured to send logs to CloudWatch, allowing you to monitor the directory's operational health and security.

Rationale:

  • Proactive Monitoring: CloudWatch Logs provides the ability to capture logs from Directory Service for real-time monitoring. This allows the detection of issues such as unauthorized access, authentication failures, or configuration errors.

  • Security: CloudWatch Logs provides insight into potential security threats and unauthorized access attempts by logging relevant events from the directory service.

  • Compliance: Many regulatory standards (such as PCI-DSS, SOC 2, HIPAA) require centralized logging and monitoring of critical infrastructure, including directory services. CloudWatch Logs helps meet these requirements by storing and organizing logs for future analysis and auditing.

Impact:

Pros:

  • Improved Visibility: Centralized logging with CloudWatch allows real-time tracking of activities and events in Directory Service.

  • Enhanced Troubleshooting: By collecting logs in CloudWatch, any issues related to Directory Service can be quickly identified, helping with faster root cause analysis.

  • Security and Compliance: CloudWatch Logs help track security events, access attempts, and system behavior, helping meet compliance requirements.

Cons:

  • Cost: Enabling CloudWatch Logs may increase costs, depending on the volume of logs generated and stored.

  • Data Management: As logs accumulate, they may need to be managed properly to avoid unnecessary storage costs or clutter.

Default Value:

By default, Amazon Directory Service does not send logs to CloudWatch Logs. It requires explicit configuration to enable the integration.

Pre-requisite:

  • AWS IAM Permissions:

    • ds:DescribeDirectories

    • ds:EnableLDAPS

    • logs:PutLogEvents

  • AWS CLI installed and configured.

  • Directory Service must be created and running.

  • CloudWatch Logs must be available and accessible in the region.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Directory Service under Services.

  3. Select the directory that you want to monitor and ensure it is active.

  4. Navigate to CloudWatch Logs and verify that logs from Directory Service are being forwarded.

    • In the CloudWatch Console, go to Logs and check if you have log groups for Directory Service.

    • Check if the logs are being populated under these log groups.

Using AWS CLI:

To check if Directory Service is logging to CloudWatch, run:

aws ds describe-directories --query 'DirectoryDescriptions[*].DirectoryId'

To verify if CloudWatch Logs is receiving logs, use the following command:

aws logs describe-log-groups --log-group-name-prefix '/aws/directoryservice'

The output should show log groups for Directory Service if it is correctly configured to send logs to CloudWatch.

Implementation Steps: 

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Directory Service.

  2. Choose the directory you want to configure and select Monitoring in the directory details page.

  3. Enable CloudWatch Logs: In the Monitoring section, enable CloudWatch logs integration to start sending logs.

  4. Choose the appropriate log group to send logs to, or create a new log group.

  5. Once enabled, navigate to CloudWatch under Services to verify that the logs are being collected.

Using AWS CLI:

To enable logging for Directory Service to CloudWatch Logs, run the following command:

aws ds enable-logging --directory-id <Directory-ID> --log-group-name <log-group-name>

Once the command is executed, verify that logs are being sent to the specified log group in CloudWatch Logs:

aws logs describe-log-groups --log-group-name-prefix '/aws/directoryservice'

Backout Plan:

If enabling CloudWatch Logs for Directory Service causes issues (e.g., excessive logging, performance degradation):

Identify the affected Directory Service and verify if logs are causing resource constraints.

Revert the changes by disabling CloudWatch Logs:

aws ds disable-logging --directory-id <Directory-ID>

Monitor CloudWatch Logs to ensure no further logs are being sent.


Note:

  • Log Retention: It is important to configure log retention policies in CloudWatch Logs to avoid accumulating excessive log data, which may result in higher costs. Configure the log retention settings based on the organization’s policies.

  • CloudWatch Alarms: You can also set up CloudWatch alarms based on specific log patterns (e.g., failed login attempts) to trigger notifications or actions (e.g., Lambda functions).

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.