Home > Digital Forensics

Cloud Logging (AWS, Azure, GCP)

Cloud logging is the backbone of cloud forensics. Unlike traditional systems, cloud environments rely heavily on managed logging services that capture every API call, authentication attempt, network event, and configuration change. These logs are essential for incident response because they reveal who did what, when, and from where inside the cloud environment.

This chapter explains how AWS, Azure, and GCP implement logging, what logs are most important for forensics, and how investigators use them to detect breaches and reconstruct events.

Why Cloud Logging Matters in Forensics

Cloud infrastructures are API-driven. Every action—whether by a user, IAM role, service, or attacker—is recorded as an API call.

Cloud logs help investigators:

  • Trace unauthorized activity

  • Detect compromised accounts

  • Reconstruct attacker movements

  • Identify privilege escalation

  • Review configuration changes

  • Analyze outbound traffic and data access

  • Prove what happened for legal purposes

These logs often provide the only evidence of cloud incidents because investigators do not have physical disk or memory access.

Cloud Logging Overview by Platform

AWS Logging for Forensics

AWS provides extensive logging across all major services.

1. AWS CloudTrail (Critical for Forensics)

CloudTrail records every API call.

Captured data includes:

  • Who made the request

  • Timestamp

  • Source IP

  • AWS service and action

  • Request parameters

  • Response code

Key forensic events:

  • Unauthorized IAM activity

  • S3 access attempts

  • EC2 instance creation/deletion

  • Security group changes

  • Console logins

  • Access key usage

CloudTrail is the primary forensic log in AWS.

2. AWS CloudWatch Logs

Monitors:

  • Lambda logs

  • Application logs

  • Network activities

  • VPC Flow Logs (optional export)

Useful for:

  • Detecting brute-force attacks

  • Monitoring suspicious application behavior

  • Detecting spikes in Lambda execution

3. VPC Flow Logs

Records inbound/outbound network flows.

Reveals:

  • C2 traffic

  • Port scanning

  • Unusual outbound connections

  • Data exfiltration

4. S3 Access Logs

Tracks:

  • Reads/writes

  • Anonymous access attempts

Useful when investigating leaked buckets.

5. GuardDuty Findings (Threat Detection)

GuardDuty flags:

  • Compromised keys

  • IAM anomalies

  • DNS tunneling

  • Unusual EC2 outbound traffic

  • Known C2 communication

Azure Logging for Forensics

Azure provides unified logging across platform services.

1. Azure Activity Logs

Logs management operations across the subscription.

Covers:

  • Resource creation/deletion

  • Role assignments

  • Policy updates

  • Network rule changes

Essential for tracking administrative events.

2. Azure AD Sign-in & Audit Logs

Shows:

  • Login attempts

  • MFA failures

  • Risky sign-ins

  • Token misuse

  • User privilege elevation

These logs detect compromised accounts.

3. Azure Monitor & Log Analytics Workspace

Stores logs from:

  • VMs

  • AKS (Kubernetes)

  • Applications

  • Network traffic

Supports KQL (Kusto Query Language) for forensic searches.

4. NSG Flow Logs (Network Flow Logs)

Useful for:

  • Detecting scanning

  • Outbound C2 traffic

  • Suspicious inbound attempts

5. Microsoft Defender for Cloud Alerts

Flags:

  • Suspicious VM processes

  • Malware activity

  • Identity attacks

GCP Logging for Forensics

GCP centralizes logging via Cloud Logging and Cloud Audit Logs.

1. Cloud Audit Logs

Includes:

  • Admin Activity Logs

  • Data Access Logs

  • System Events Logs

Covers:

  • Resource changes

  • IAM changes

  • API calls

  • Access to data (e.g., BigQuery, Cloud Storage)

Admin Activity Logs are always enabled and critical for forensics.

2. VPC Flow Logs

Shows:

  • Network traffic patterns

  • Suspicious outbound communication

  • Lateral movement attempts

3. Cloud Storage Access Logs

Used to investigate:

  • Data exfiltration

  • Unauthorized downloads

4. Cloud Logging (formerly Stackdriver)

Collects:

  • VM application logs

  • Kubernetes logs

  • System logs

  • Firewall logs

Useful for multi-layer incident reconstruction.

Key Forensic Activities Using Cloud Logs

1. Investigating Unauthorized Access

Search for:

  • Login failures

  • Logins from unusual geographies

  • Access by service accounts

  • API calls without MFA

2. Tracking Privilege Escalation

Look for:

  • IAM role modifications

  • New admin accounts

  • Policy updates

3. Detecting Lateral Movement in Cloud

Evidence includes:

  • Switching roles

  • Creating temporary credentials

  • Accessing unrelated services

4. Identifying Data Exfiltration

Logs show:

  • Outbound transfers

  • Cloud Storage/S3 read operations

  • Large BigQuery exports

5. Investigating Resource Manipulation

Examples:

  • Rogue EC2/GCE/VM creation

  • Security group changes

  • Opening inbound ports

Best Practices for Cloud Logging in Forensics

  • Enable audit logs across all services

  • Store logs in immutable storage (WORM)

  • Centralize logging and analysis

  • Keep logs for long retention (1–5 years)

  • Use SIEM integration (Splunk, Sentinel, Chronicle)

  • Enable alerts for suspicious events

  • Enable MFA and key rotation to reduce incidents

Intel Dump

  • Cloud logging is essential for cloud forensics because investigators do not have physical access to disks or memory.

  • AWS uses CloudTrail, CloudWatch, VPC Flow Logs, S3 logs, and GuardDuty for attack detection and timeline reconstruction.

  • Azure relies on Activity Logs, Azure AD sign-in logs, NSG flow logs, Monitor, and Defender for Cloud alerts.

  • GCP uses Cloud Audit Logs, VPC Flow Logs, Cloud Logging, and Storage access logs.

  • Forensics focuses on detecting unauthorized API activity, credential misuse, data exfiltration, privilege escalation, and suspicious network behavior.

  • Best practice: enable centralized immutable logging, long retention, and SIEM integration.

HOME COMMUNITY CAREERS DASHBOARD