MMNA
Monitoring, Detection & Cloud Defense Engineering
The final layer: Detect what slips past IAM hardening. Master CloudTrail logging, behavioral anomaly detection, and enterprise-grade detection engineering. Transform security from prevention-only to detection + response.
Cloud Monitoring Fundamentals
You cannot defend what you cannot see. Monitoring is the nervous system of cloud security.
AWS CloudTrail
The authoritative audit log of ALL AWS API calls. Every action leaves a trace: who performed it, when, from where, what was requested, and what the result was. CloudTrail is non-negotiable.
Logging Visibility Mindset
Three tiers of logging: Organization Trail (all accounts), Regional Trail, and Data Events. You need visibility at all layers. Default CloudTrail logging captures API calls; Data Events capture S3 and Lambda. Start with organization-wide trails.
Centralized Log Aggregation
Ship all logs to a centralized security account. CloudTrail → S3 → Athena/Splunk for querying. This creates an immutable audit trail that attackers cannot tamper with (if properly secured).
↓ Captures all API calls from all member accounts
↓ Writes to immutable S3 bucket in security account
↓ Enables queries via Athena (SQL on S3)
↓ Feeds into SIEM (Splunk, Datadog, Amazon Security Hub)
↓ Triggers real-time alerts for suspicious activity
Critical CloudTrail Fields to Monitor
- 📌 userIdentity.principalId — WHO performed the action
- 📌 eventName — WHAT action was performed (e.g., AssumeRole, GetObject)
- 📌 eventSource — WHICH service (iam, s3, ec2, rds)
- 📌 sourceIPAddress — FROM WHERE (geography, VPC endpoint, internet)
- 📌 requestParameters + responseElements — WHAT WAS REQUESTED and WHAT WAS THE RESULT
- 📌 errorCode — If operation failed, why (AuthorizedOperationException = privilege denied)
- 📌 eventTime — WHEN it happened (precise UTC timestamp)
Detection Engineering Concepts
Detection engineering transforms raw logs into actionable threat signals. It's the science of identifying bad behavior before it causes damage.
Learn what NORMAL looks like for each principal. Normal for a Lambda function: S3 GetObject at 3am daily, same bucket, same volume. Normal for a developer: console login 9am-5pm, from corporate IP.
Deviation = deviation from baseline. Examples: Lambda suddenly accessing 100 different S3 buckets (abnormal). Developer logging in at 3am from China (abnormal). Admin deleting 10 IAM roles in 1 minute (abnormal).
Not every deviation is malicious (on-call engineer at 3am is normal). Build context: is this principal doing something they've NEVER done before? Is it consistent with their role? Is the source IP trusted?
Single signal = weak alert (high false positive). Multiple correlated signals = strong signal. Example: new access key + immediate escalation attempt + S3 download = high-confidence compromise.
Defense-in-Depth Strategy
No single control stops all attacks. Combine identity security, network security, and monitoring into a unified defense architecture.
Controls: Least-privilege IAM policies, MFA enforcement, role-based access, temporary credentials
Assumption: Credentials WILL be compromised. Make sure compromised credentials are minimally privileged.
Controls: Security groups, NACLs, VPC endpoints, private subnets, VPC flow logs
Assumption: Attackers WILL move laterally. Make sure each microservice/environment is isolated.
Controls: CloudTrail logging, behavioral anomaly detection, real-time alerting, SIEM correlation
Assumption: Some attacks WILL slip through. Catch them within minutes, not days.
Controls: Security assessments, IAM Access Analyzer, Config compliance, penetration testing, automated security validation
Assumption: Controls drift over time. Continuously audit and remediate.
Defense-in-Depth Decision Tree
├─ Identity Layer Blocks? (IAM policy denies action)
│ ├─ YES → Logged as "AuthorizedOperationException" + continue to step 2
│ └─ NO → Attacker gets access, continue to step 2
│
├─ Network Layer Blocks? (Security group denies traffic)
│ ├─ YES → Connection refused + logged in VPC Flow Logs + alert
│ └─ NO → Attacker reaches resource, continue to step 3
│
├─ Monitoring Detects? (Behavioral anomaly triggered)
│ ├─ YES → Real-time alert → Security team → Response in minutes
│ └─ NO → Attacker active undetected, continue to step 4
│
└─ Continuous Validation Catches? (Quarterly audit finds misconfiguration)
├─ YES → Gap remediated before next attack
└─ NO → Vulnerability persists, increases future risk
Enterprise Governance Lessons
Security is not a project; it's a continuous process. Enterprise security requires governance, accountability, and automation.
Compliance Monitoring
AWS Config continuously monitors configurations against compliance rules (CIS Benchmarks, SOC 2, ISO 27001). Automated compliance dashboard shows what's compliant and what's drifting. Non-compliance triggers remediation workflows.
Quarterly Architecture Reviews
Every 90 days, security and engineering teams review IAM policies, cross-account roles, and network isolation. Document findings. Update policies. Close gaps. This prevents security debt from accumulating.
Security Incident Drills
Run tabletop exercises: "Attacker compromises a developer's IAM credentials. Walk through response." These drills test your detection, response procedures, and team coordination before a real incident.
- ✓ IAM Audit: Review all users, roles, policies. Remove unused identities.
- ✓ CloudTrail Review: Verify logging enabled on all accounts + regions. Check for unusual API activity.
- ✓ MFA Enforcement: Ensure MFA required for console access + sensitive API operations.
- ✓ Access Analyzer: Run Access Analyzer to identify resources with public or cross-account access.
- ✓ Compliance Check: AWS Config reports + manual verification of CIS Benchmarks.
- ✓ Incident Response Plan: Update playbooks. Run tabletop exercise with team.
- ✓ Third-Party Review: External security assessment or penetration test.
External Learning References
Deepen your monitoring and detection engineering skills with official resources: