Monitoring, logging & incident response

All significant actions are logged for compliance and forensic purposes. Threat detection runs continuously, and alerts are delivered in real-time.

Audit logging

• Application audit logs (CloudWatch): User actions including create, update, delete, share, and access-denied events. Retained for 90 days.
• AWS CloudTrail: All AWS API calls logged across all regions. Retained for 365 days in CloudWatch, archived to S3 with Glacier lifecycle for 2 years.
• VPC Flow Logs: Network traffic metadata on all subnets.
• WAF Logs: All blocked and rate-limited requests.

Threat detection

• AWS GuardDuty (production): Continuous threat detection monitoring for malicious activity and unauthorized behavior.
• CloudWatch Metric Filters: Real-time alerting on security-relevant events.
• WAF Alerts: Automated alerts for blocked request spikes, rate limiting triggers, and SQL injection attempts. Delivered to Slack.

Security alarms

CloudWatch alarms are configured for:

• Root account usage
• Unauthorized API calls
• IAM policy changes
• Security group modifications
• S3 bucket policy changes
• VPC changes
• Network gateway changes
• NACL changes
• Route table changes

Infrastructure as Code

All infrastructure is defined in Terraform, version-controlled in Git, and reviewed via pull requests before deployment.