Home · Synthesis · cl-ccm-v4-logging-monitoring

Cloud logging and monitoring — CSA LOG control family

CSA CCM v4

Primary statement

Cloud logging per CSA LOG-01 (control plane + data plane + network + application logs) + LOG-02 (tamper-evident storage + retention per regulatory floor — 180 days CERT-In) + LOG-03 (continuous automated alerting + periodic manual review) + LOG-04 (cloud-specific detections — credential compromise, resource hijacking, lateral movement) + LOG-05 (near-real-time monitoring with documented triage SLA). Full CSA LOG series.

Audit-fatigue payoff

A unified cloud logging programme aligned to CSA LOG series satisfies cloud logging with canonical specifications.

Strictness matrix

Scope
Scope: control plane events (IAM, resource provisioning) + data plane (data access, API) + network flows + application errors + security events. Comprehensive cloud telemetry scope. Ceiling source: csa_ccm:CSA.LOG-01 Rationale: CSA LOG-01 comprehensive scope.
Threshold
Threshold: tamper-evident storage (write-once / Object Lock) + retention per regulatory floor (180 days CERT-In minimum). Tamper evidence is binary. Ceiling source: csa_ccm:CSA.LOG-02 Rationale: CSA LOG-02 tamper-evident threshold is uniquely strict.
Method
Method: logging coverage (LOG-01) + tamper-evident retention (LOG-02) + continuous alerting + periodic review (LOG-03) + cloud-specific detections (LOG-04 — credential compromise, resource hijacking, lateral movement) + near-real-time monitoring with triage SLA (LOG-05). Ceiling source: csa_ccm:CSA.LOG-04 Rationale: CSA LOG-01 through LOG-05 form the canonical cloud logging method.
Frequency
Logging continuous. Alerting near-real-time. Manual review periodic. Retention per regulatory floor (180 days CERT-In minimum). Ceiling source: csa_ccm:CSA.LOG-05 Rationale: Near-real-time monitoring is the audit-defensible cadence.
Evidence
Evidence: logging coverage configuration + retention configuration + alerting rules + cloud-specific detections + sample alerts traced to response + triage SLA evidence. Ceiling source: csa_ccm:CSA.LOG-01 Rationale: CSA LOG-01 evidence is comprehensive.

Auditor test pattern

Step 1: Inspect logging coverage. Step 2: Verify tamper-evident retention. Step 3: Verify cloud-specific detection rules. Step 4: Sample 3 alerts; trace to response. Step 5: Verify triage SLA.

Common findings

Common findings: (1) Logging covers control plane only; data plane gaps; (2) Retention shorter than CERT-In 180 days; (3) Cloud-specific detections absent; (4) Alerts ignored — no triage SLA tracking.