The good news about logging in the cloud: every API call, every console action, every resource change can be logged. The bad news: by default many of those logs are not retained, not centralized, and not parsed.
Three log streams every cloud needs
- Audit / control-plane logs. Who did what to which resource. This is your forensics tape.
- Data-plane logs. Application traffic, database queries, storage access. Higher volume, higher value.
- Identity / authentication logs. Sign-in attempts, token issuance, MFA events. The earliest signal of compromise.
Centralization beats local
A log that lives only in the account where it was generated is a log an attacker can delete during the breach. Forwarding to a separate, write-only account that has independent access controls is the single highest-leverage logging change you can make.
What "monitoring" should mean
- Real-time alerts on identity anomalies (impossible travel, MFA bypass attempts, role-elevation events)
- Daily review of resource creations in production by anyone other than the deployment pipeline
- Weekly review of permission grants
- Quarterly retention audits to confirm logs are landing where you think they are
Anti-patterns
- Sending all logs to a single bucket and "we'll grep when we need to"
- Alerting on so many things that the team mutes the channel
- Skipping data-plane logs because the volume is "too expensive"
- Storing logs in the same account that generated them
Takeaway
Logs you cannot read in five minutes during an incident might as well not exist. Build for the bad day before you need it.
HS Academy
All HS Academy lessons are free to read. Create a free HorizonShield account to explore the platform itself.
Sign up free →