Logging Failures in the Cloud: The Forensic Blind Spots Putting Organizations at Risk

Executive Summary

Cloud providers (AWS, Azure, GCP) ship with conservative, cost-minded logging defaults that often omit data-plane, flow, and fine-grained access events. While this reduces cost, it creates a major security, forensic, and compliance gap. Breaches can go undetected for months, and when investigations finally begin, crucial evidence has already expired.

At SISA, our Sappers team has investigated multiple incidents were incomplete logging left enterprises blind during detection and post-incident forensics. These cases prove that logging must be treated as a first-class security control.

Why Logging Matters

Logging is the foundation of:

• Detection: spotting malicious activity early.
• Threat Hunting: identifying hidden attacker behaviors.
• Forensics: reconstructing the full attack timeline.
• Compliance: proving adherence to PCI DSS, HIPAA, GDPR, and more.

Without detailed and time-synchronized logs, organizations cannot answer the critical questions regulators, auditors, or executives will demand after an incident: What happened? Who accessed what? How much data is left?

Where Defaults Fail

Cloud providers intentionally limit default logging to save cost and performance overhead:

• AWS: CloudTrail management events only (90 days). Object-level access (S3, DynamoDB, Lambda) and VPC flow logs are off.
• Azure: Activity logs limited to control-plane (90 days). Diagnostic and flow logs disabled by default.
• GCP: Data access logs disabled by default. Flow logs off. Retention as low as 30 days.

Across our investigations, these gaps repeatedly led to:

• Forensic failure (no visibility into data exfiltration).
• SOC blind spots (no detection of lateral movement).
• Regulatory non-compliance (retention too short).

SISA Logging Suggestions

To achieve stronger detection and forensic readiness, SISA suggests enabling additional logs beyond cloud defaults. These logs provide richer visibility for anomaly detection, UEBA, and continuous monitoring of threats. When incidents occur, SISA’s forensic experts leverage these logs for deeper investigation and evidence preservation.

AWS

• CloudTrail Data Events: S3 object access, Lambda executions, DynamoDB item-level, and EKS API calls.
• VPC Flow Logs: Full coverage of east-west and outbound traffic.
• ELB/ALB/NLB Access Logs: Visibility into application-level anomalies.
• DNS Query Logs (Route 53): Spotting malicious or suspicious queries.
• Immutable Central Storage: Using S3 Object Lock for tamper-proof retention.

Azure

• Diagnostic Logs: Key Vault, Storage, SQL DB, Firewall, App Gateway, and AKS.
• NSG Flow Logs (v2): To track network-level lateral movement.
• Extended Azure AD Audit & Sign-in Logs: For authentication anomalies.
• Application Gateway / WAF Logs: Crucial for identifying web-based threats.

GCP

• Data Access Logs: For GCS, Cloud SQL, KMS, IAM, and GKE clusters.
• VPC Flow Logs: Covering production and interconnect networks.
• DNS & Load Balancer Logs: Key for identifying exfiltration or C2 traffic.
• Centralized Export: Into Big Query or Cloud Storage with encryption and lifecycle rules.

Cross-Platform & Infrastructure

• Kubernetes: Control-plane audit logs, API server calls, pod lifecycle.
• Identity Providers: Okta, Azure AD, MFA, and risky sign-in logs.
• Host Security: Windows Security Events, Linux audits/syslog.
• Network Security: Firewall, IDS/IPS, proxy, and WAF logs.
• Application & Database: DB query auditing, storage access.
• EDR/XDR: Endpoint telemetry (processes, file access, suspicious connections).

The Size Concern

Enabling these broader logs will increase ingestion and storage volumes, sometimes significantly:

• Data-plane events (e.g., S3 object access) generate far more entries than management events.
• Flow logs scale with every connection, leading to millions of records daily.
• Kubernetes audit logs spike during upgrades and automated deployments.

This size concern must be managed carefully:

• Tiered retention (90 days hot, 12–18 months warm/cold) balances cost with visibility.
• Immutable storage ensures forensic defensibility while optimizing storage classes.
• Selective enablement allows prioritizing sensitive workloads like payments, healthcare, or financial systems.

With this approach, organizations avoid uncontrolled storage costs while ensuring logs retain real forensic and detection value.

How SISA ProACT Agentic SOC solution & Sappers DFIR team Use These Logs

AI-Powered Detection & UEBA

1. Detect unusual behavior such as off-hour logins, large data downloads, or irregular network flows.
2. Build baselines over months of logs to identify anomalies traditional rules miss.

SOC Monitoring & Threat Hunting

1. Correlate across identity, network, cloud, and endpoint telemetry.
2. Spot attack chains such as credential misuse → privilege escalation → data exfiltration.

Forensic Investigation

1. Stitch together logs from CloudTrail, Flow Logs, Kubernetes, and endpoints into a clear timeline.
2. Identify accessed data, movement paths, and potential exfiltration points.
3. Preserve logs with tamper-proof immutability for legal and compliance needs.

Conclusion

Cloud logging defaults are not enough for today’s threat landscape. Relying only on defaults leaves organizations with dangerous blind spots and weak forensic readiness.

By following SISA Logging Suggestions and integrating them into SISA ProACT, enterprises gain:

• Broader telemetry for AI/ML-driven anomaly detection,
• Stronger baselines through UEBA analytics,
• Continuous monitoring by our SOC experts, and
• Forensic-ready evidence for deep investigations.

At SISA, our Sappers investigations prove that enhanced logging is not just compliance — it is the foundation of detecting faster, investigating deeper, and defending smarter.