The Office of Management and Budget issued a memorandum that establishes a maturity model to guide the implementation of event logging requirements with regard to cybersecurity incidents and Amazon Web Services outlined for federal customers the AWS services listed in the M-21-31 memo that require log data capture and storage at the EL1 level.
“EL1 is defined by a basic rating, in which logging requirements of the highest criticality are to be captured. EL2 and EL3 describe further event logging maturity levels which build on EL1,” Vin Minichino, a senior solutions architect at AWS, wrote in a blog post published Friday.
The AWS services are AWS CloudTrail, Amazon CloudWatch, AWS Config, Amazon S3 Access Logs, Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, AWS WAF Logs, AWS Shield, Amazon GuardDuty and AWS Security Hub.
Agencies should retain logs from these AWS services for a period of 30 months and can use Amazon Simple Storage Service (Amazon S3) Intelligent Tiering for “hot” storage that can be instantly accessed and Amazon S3 Glacier for the “cold” storage that can be accessed upon request.
“Logs from these services need to be enabled in all AWS Regions and accounts that are within scope. Logs should also be shipped to a centralized repository in the formats prescribed in Appendix A of the memorandum,” Minichino noted.
He said federal customers can use AWS Control Tower or the Landing Zone Accelerator on AWS to help streamline event logging at EL1.
Minichino also provided a list of resources to help agencies configure event logging for each AWS service.