Security Audit Logging

Architecture

Implement secure audit logging for compliance requirements:

Authentication events from identity providers
API access logs from API Gateway
VPC Flow Logs for network activity
CloudTrail events for AWS API calls

When to Use

This pattern is ideal when you need:

SOC 2, PCI-DSS, or HIPAA compliance
Long-term log retention for audits
Encryption for sensitive log data
Tamper-evident log storage

Configuration

module "audit_logs" {
  source  = "registry.patterneddesigns.ca/essentials/cloudwatch-logs/aws"
  version = "1.3.0"

  log_group_name    = "/security/audit"
  retention_in_days = 2557  # 7 years for compliance
  kms_key_arn       = module.security_kms.key_arn

  metric_filters = [
    {
      name             = "failed-auth"
      pattern          = "{ $.eventType = \"AUTHENTICATION_FAILURE\" }"
      metric_name      = "FailedAuthentications"
      metric_namespace = "Security/Audit"
    },
    {
      name             = "privilege-escalation"
      pattern          = "{ $.eventType = \"ROLE_ASSUMED\" }"
      metric_name      = "RoleAssumptions"
      metric_namespace = "Security/Audit"
    }
  ]
}

Considerations

Use KMS encryption for sensitive data
Set retention to meet compliance requirements
Archive to S3 for cost-effective long-term storage
Implement cross-account log aggregation for multi-account setups