Task Statement 4.2: Validate and audit security by using network monitoring and logging services.
📘AWS Certified Advanced Networking – Specialty
1. What is Log Creation in AWS?
Log creation means generating records of activities happening inside your AWS network and services.
These logs help you:
- Monitor network traffic
- Detect security threats
- Troubleshoot issues
- Meet compliance and auditing requirements
👉 In AWS, logs are usually stored in:
- Amazon CloudWatch Logs
- Amazon S3 (for long-term storage and analysis)
2. Why Logs Are Important for the Exam
For the exam, remember:
✔ Logs provide visibility into network activity
✔ Logs are NOT enabled by default in many services
✔ Logs are used for:
- Security analysis
- Incident response
- Compliance audits
3. Types of Logs You Must Know
You must clearly understand these three key log types:
- VPC Flow Logs
- Load Balancer Access Logs
- CloudFront Access Logs
4. VPC Flow Logs
4.1 What Are VPC Flow Logs?
VPC Flow Logs capture IP traffic metadata going to and from:
- Network interfaces (ENI)
- Subnets
- Entire VPC
👉 They do NOT capture full packet content (only metadata).
4.2 What Data Do They Capture?
Each log record includes:
- Source IP address
- Destination IP address
- Source port
- Destination port
- Protocol (TCP/UDP/ICMP)
- Number of packets and bytes
- Action (ACCEPT or REJECT)
4.3 Where Are Logs Stored?
You can send flow logs to:
- CloudWatch Logs (real-time monitoring)
- S3 bucket (long-term storage and analytics)
4.4 How Flow Logs Are Created
Steps:
- Select:
- VPC / Subnet / Network Interface
- Choose:
- Log destination (CloudWatch or S3)
- Define:
- IAM role (for permissions)
- Set:
- Traffic type:
- ACCEPT
- REJECT
- ALL
- Traffic type:
4.5 Key Exam Points
✔ Captures metadata only, NOT payload
✔ Useful for security monitoring and troubleshooting
✔ Helps detect:
- Unauthorized access attempts
- Misconfigured security groups or NACLs
5. Load Balancer Access Logs
5.1 What Are They?
Load Balancer Access Logs record requests sent to your load balancer.
Supported for:
- Application Load Balancer (ALB)
- Network Load Balancer (NLB) (limited compared to ALB)
- Classic Load Balancer
5.2 What Data Do They Capture?
Typical fields:
- Client IP address
- Request time
- Request path (URL)
- Backend target IP
- Response status code
- Latency (processing time)
- Bytes sent/received
5.3 Where Are Logs Stored?
👉 Stored only in Amazon S3
- Logs are delivered in gzip compressed files
- Organized by:
- Region
- Date
- Load balancer name
5.4 How Log Creation Works
- Enable access logging on the load balancer
- Specify:
- S3 bucket
- Optional prefix
- AWS writes logs periodically (every 5–60 minutes)
5.5 Key Exam Points
✔ Helps analyze:
- Traffic patterns
- Errors (e.g., HTTP 500)
- Latency issues
✔ Used for:
- Security auditing (who accessed what)
- Troubleshooting application performance
✔ Must configure:
- Correct S3 bucket permissions
6. CloudFront Access Logs
6.1 What Are They?
CloudFront Access Logs capture requests handled by the CDN (edge locations).
6.2 What Data Do They Capture?
- Viewer IP address
- Request method (GET, POST)
- Requested object (file)
- HTTP status code
- Referrer
- User-Agent
- Edge location
6.3 Where Are Logs Stored?
👉 Stored in Amazon S3
- Delivered periodically
- Files are space-delimited text
6.4 Types of CloudFront Logs
1. Standard Logs
- Delivered to S3
- Delayed (not real-time)
2. Real-Time Logs
- Delivered to:
- Kinesis Data Streams
- Used for:
- Immediate monitoring
- Security automation
6.5 How Log Creation Works
- Enable logging in CloudFront distribution
- Select:
- S3 bucket
- Prefix
- (Optional) Enable real-time logging with Kinesis
6.6 Key Exam Points
✔ Logs edge-level requests
✔ Useful for:
- CDN usage analysis
- Security monitoring (e.g., suspicious IPs)
✔ Real-time logs are:
- More advanced
- Used for automation and detection
7. Comparison of Log Types
| Feature | VPC Flow Logs | Load Balancer Logs | CloudFront Logs |
|---|---|---|---|
| Layer | Network (L3/L4) | Application (L7) | Edge/CDN |
| Captures | Traffic metadata | HTTP/HTTPS requests | CDN requests |
| Storage | CloudWatch / S3 | S3 only | S3 / Kinesis |
| Real-time | Near real-time | Delayed | Optional real-time |
| Payload | ❌ No | ❌ No | ❌ No |
8. Common Exam Scenarios
Scenario 1:
👉 Need to analyze network-level traffic between instances
✔ Use: VPC Flow Logs
Scenario 2:
👉 Need to debug application errors behind load balancer
✔ Use: Load Balancer Access Logs
Scenario 3:
👉 Need to monitor user requests at global edge locations
✔ Use: CloudFront Access Logs
Scenario 4:
👉 Need real-time streaming logs for security analysis
✔ Use:
- CloudFront Real-Time Logs
- Flow Logs → CloudWatch
9. Best Practices (Important for Exam)
✔ Enable logs at multiple layers:
- Network (Flow Logs)
- Application (ALB logs)
- Edge (CloudFront logs)
✔ Store logs in:
- S3 for long-term retention
- CloudWatch for real-time monitoring
✔ Use:
- Lifecycle policies (to reduce cost)
- Encryption (SSE-S3 / SSE-KMS)
✔ Restrict access:
- Use IAM policies
- Enable logging bucket security
✔ Integrate with:
- Amazon Athena (query logs)
- SIEM tools (security analysis)
10. Common Mistakes (Exam Traps)
❌ Thinking Flow Logs capture packet content
→ They only capture metadata
❌ Assuming logs are enabled by default
→ Most must be manually enabled
❌ Confusing log storage:
- ALB → S3 only
- Flow Logs → CloudWatch or S3
❌ Ignoring permissions:
→ S3 bucket must allow AWS services to write logs
11. Final Exam Summary
You should remember:
- VPC Flow Logs → Network traffic visibility
- Load Balancer Logs → Application request visibility
- CloudFront Logs → Edge/CDN visibility
👉 Together, they provide full-layer monitoring:
- Network
- Application
- Global edge
