How to Enable Logging on Every AWS Service in Existence (Circa 2021)

Matt Fuller
16 min readJan 3, 2021

Cloud security best practices, as well as most compliance programs, require that logging be enabled for all in-scope services. However, that simple requirement — “enable logging” — comes with many followup questions. Is CloudTrail enough? How do I turn on logging for all these services? Aren’t logs collected by default? What. even. is. a. log?

In AWS, logging, like most tasks, isn’t as simple as it seems it could be, due to an inconsistent use of defaults, differing destination logging services, and a variety of configuration options, sometimes hidden in layers of submenus and API parameters. I guess we can blame the pizza teams for this too.

After using a handful of AWS services, you’ll notice that some send their logs to CloudWatch Logs (e.g. Lambda), others go to S3 (e.g. ELB and CloudFront), and still others wind up going to Kinesis (e.g. CloudFront’s new realtime logs).

And so I entered a rabbit hole of Googling, AWS documentation, and spinning up test services with names like “deletethisasap” in order to write the definitive guide to answer the question “how do I enable logging?” for every supported AWS service (although I make no guarantees; AWS released five new services just as I was typing this intro).

TL;DR

--

--

Matt Fuller

Founder of @CloudSploit , acquired by @AquaSecTeam . Former Infra / Security / Manager @Adobe , @Aviary & @Mozilla intern, @RITtigers grad, @NYC resident