Are workload-level logs (VPC flow, container, app) sent to your SIEM?
Demonstrate that all production workload-level logs (VPC flow, container, and application) are configured to forward to the organization's SIEM and are actively being ingested and parsed.
Description
What this control does
This control ensures that workload-level logs—including VPC flow logs, container runtime logs, and application logs—are forwarded in near-real-time to a centralized Security Information and Event Management (SIEM) system. Proper log ingestion enables correlation of network traffic patterns, containerized workload activity, and application-layer events for threat detection and incident response. Without centralized visibility into ephemeral compute resources and microservices architectures, security teams cannot detect lateral movement, data exfiltration, or anomalous behavior within cloud-native environments.
Control objective
What auditing this proves
Demonstrate that all production workload-level logs (VPC flow, container, and application) are configured to forward to the organization's SIEM and are actively being ingested and parsed.
Associated risks
Risks this control addresses
- Lateral movement across cloud network segments goes undetected due to lack of VPC flow log visibility in SIEM
- Container escape or privilege escalation attempts are not identified because runtime logs remain isolated on ephemeral nodes
- Application-layer attacks (injection, authentication bypass, API abuse) evade detection when app logs are not centrally analyzed
- Incident responders lack sufficient forensic data to determine scope and timeline of compromises in containerized workloads
- Compliance violations occur when auditable events in application logs are not retained or correlated with network activity
- Data exfiltration via legitimate cloud services is missed due to fragmented visibility between network flow and application behavior
- Mean time to detect (MTTD) increases significantly when security analysts must manually access multiple disparate log sources
Testing procedure
How an auditor verifies this control
- Obtain an inventory of all production cloud environments, VPCs, container orchestration platforms (Kubernetes, ECS, etc.), and critical applications in scope.
- Review SIEM ingestion configuration and identify all configured log sources, filtering for VPC flow logs, container runtime logs, and application logs.
- Select a representative sample of VPCs across environments and verify flow log export settings point to the SIEM or intermediate log aggregator.
- Examine container orchestration platform configurations (e.g., Kubernetes DaemonSets, logging sidecars, FluentD/Fluentbit agents) to confirm stdout/stderr and runtime logs are forwarded.
- Review application deployment manifests or infrastructure-as-code templates to verify logging agents or SDK instrumentation directs logs to the SIEM.
- Query the SIEM for recent VPC flow logs, container logs, and application logs from sampled workloads to confirm active ingestion within the last 24 hours.
- Validate log parsing and field extraction by reviewing indexed fields and confirming key data elements (source/destination IPs, container IDs, application transaction IDs) are searchable.
- Test end-to-end log flow by generating a test event (e.g., spin up a test container, trigger an application error) and verify the event appears in SIEM within the expected latency window (typically 5-15 minutes).