Security investigations in AWS frequently stall due to missing log sources rather than lack of skill. Six real-world-inspired scenarios illustrate critical blind spots: missing VPC Flow Logs prevent tracing internal traffic sources during data exfiltration; absent S3 Server Access Logs leave breach scope unknown; disabled EKS
Table of contents
The “basic logging trifecta” is essential but insufficientCritical visibility gaps and solutionsScenario 1: Missed VPC Flow Logs exposes blind spot in network trafficScenario 2: S3 data exfiltration: Which files were stolen?Scenario 3: Unmasking a rogue pod with EKS Audit LogsScenario 4: Tracing serverless abuse with Lambda Invoke EventsScenario 5: The compromised instance with no host-level footprintsScenario 6: Detecting C2 Channels with Route 53 Resolver Query LogsConclusionSort: