Control: 2.3 Ensure audit logs for multiple cloud resources are integrated with Log Service

Description

Log Service provides functions of log collection and analysis in real time across multiple cloud resources under the authorized resource owners. This enable the large-scale corporate for security governance over all resources owned by multiple accounts by integrating the log from different sources and monitoring. For example, Log Service supports the integration to collect logs from the following sources:

• ActionTrail is a cloud service that records API calls made in a given Alibaba Cloud account.
• ApsaraDB RDS and DRDS audit records all data manipulation language (DML) and data definition language (DDL) operations through network protocol analysis and only consumes a small amount of CPU resources. The Trial Edition of SQL Explorer retains SQL log data generated within up to one day free of charge.
• Object Storage Service (OSS) support recording every changes to its resources including bucket, ACL, replications, and files, as well as file access logs.
• The access log feature of SLB can be applied to HTTP- and HTTPS-based Layer 7 load balancing. Access logs can contain about 30 fields such as the time when a\ request is received, the IP address of the client, processing latency, request URI, backend server (ECS instance) address, and returned status code. As an Internet access point, SLB needs to distribute a large number of access requests.
• Alibaba Cloud API Gateway provides API hosting service to facilitate micro-service aggregation, frontend and backend isolation, and system integration. Each API request corresponds to an access record, which contains information such as the IP address of the API caller, requested URL, response latency, returned status code, and number of bytes for each request and response. With the preceding information, you can understand the operating status of your web services.
• NAS audit and access log support to record each request to Network File System (NFS) file system including file changes and access, details of the access request, such as the operation type, target object, and response status of the current user. Log Service also provides rich functions such as real-time query and analysis, and dashboard presentation for this part of logs.

Remediation

Perform the following to ensure the logs are integrated with Log Services:

From Console

1. Logon to SLS Console.
2. Click Log Service Audit Service in the navigation pane.
3. Go to Access to Cloud Products > Global Configuration page.
   • Select a location of project for logs.
   • Check the appropriate product logging selection, such as Action Trail, RDS SQL Audit Logs, OSS Access Logs, SLB Access Log, NAS Access Log, API Gateway Access log and configure a proper storage period (in days).
   • Click Save to save the changes.
4. Go to Multi-Account Configurations > Global Configuration page.
   • Modify it to input the other resource owner account ID.
   • Click Save to save the changes.
5. Go to Access to Cloud Products > Status Dashboard page to ensure the Status is Green.