SEC09-03 Implementing Security Audits

Enable security audits for key operations on each cloud service and by any individual user. Protect audit logs and back them up periodically to avoid unexpected deletions, modifications, or overwriting.

• Risk level

  High

• Key strategies
  • Key operations on cloud services include high-risk operations (such as creating and deleting IAM users, restarting VMs, and changing security configurations), cost-sensitive operations (such as creating and deleting high-cost resources), and service-sensitive operations (such as network configuration changes).
  • Enable the key event notifications. If you enable key event notifications in CTS, CTS sends notifications to subscribers in real time through SMN.
  • Enable log transfer in CTS to send audit logs to OBS. You can set a log retention duration based on your compliance and service requirements.
  • Protect audit logs and back them up periodically to avoid unexpected deletions, modifications, or overwriting. You can also enable file verification for audit logs to ensure the integrity of audit files and prevent files from being tampered with.
  • Enable centralized fine-grained control for O&M account permissions to access systems and resources.
  • For details about data security audit, see SEC07-03 Monitoring Data Use.
• Related cloud services and tools
  • Cloud Trace Service (CTS): A tracker is automatically created when you enable CTS. The tracker identifies and associates with all cloud services you are using, and records all operations on the services. CTS allows you to collect, store, and query all operations on your cloud resources and use these records for security analysis, compliance auditing, resource tracking, and fault locating.
  • Cloud Bastion Host (CBH)
  • Database Security Service (DBSS)
  • SecMaster
  • Simple Message Notification (SMN)