Audit Logging Policy¶
HIPAA Rule: §164.312(b)
Purpose¶
Maintain audit logs of all activity involving PHI systems to support investigation, compliance reporting, and anomaly detection.
Log Sources¶
| Source | Tool | Retention |
|---|---|---|
| AWS API activity | CloudTrail (multi-region) | 7 years |
| Network traffic | VPC Flow Logs | 1 year |
| AWS resource configuration | AWS Config | 7 years |
| Security findings | Security Hub / GuardDuty | 1 year |
| Application access logs | CloudWatch Logs (Django/Laravel) | 1 year |
| S3 access (screenshot bucket) | S3 Server Access Logging | 1 year |
| EC2 session activity | SSM Session Manager logs | 1 year |
CloudTrail Requirements¶
- Multi-region trail enabled in both NVS and NHC accounts
- Management events: all (read + write)
- Data events: S3 (all buckets in scope), Lambda if used
- CloudTrail log files encrypted with KMS CMK
- Log file validation enabled (tamper-detection)
- Logs delivered to dedicated S3 bucket with restricted access
- CloudTrail S3 bucket: versioning enabled, no public access
VPC Flow Logs¶
- Enabled on all VPCs in NVS and NHC
- Published to CloudWatch Logs
- Log format: default (includes source IP, destination, port, action)
Application-Level Logging¶
Django and Laravel applications must log:
- Authentication events (login success, login failure, logout)
- PHI access events (who accessed what record, when)
- PHI modification events (creates, updates, deletes)
- Failed authorization attempts
Logs must not contain PHI in cleartext in log lines where avoidable.
Log Integrity¶
- CloudTrail log file validation enabled (SHA-256 digest files)
- S3 bucket for logs: object lock or versioning prevents deletion
- IAM policy denies
DeleteTrailfor all non-admin roles
Alerting¶
| Condition | Alert |
|---|---|
| CloudTrail disabled | CloudWatch alarm → SNS |
| Root account login | CloudWatch alarm → SNS |
| Unusual S3 access (screenshot bucket) | CloudWatch anomaly alarm → SNS |
| GuardDuty High finding | Security Hub → SNS |
Log Access¶
Log access is restricted to:
- DevOps admin role (break-glass)
- Security investigation role (read-only, CloudWatch Logs Insights)
- Automated compliance tools (Config, Security Hub)