amazon-web-servicessecuritydebuggingloggingbots

How do I keep a log of all user requests for a specific route properly?


An exploit in my application was found by someone allowing them to bypass, many security checks. I have no idea how they did it after many attempts of brain storming and crafting malicious requests I have failed to recreate their attack.

But I came up with an idea, I need to keep a log of all the users requests for a couple of sensitive routes to see what payloads the hacker was sending, or if they even went through these routes at all!

My question is, how do I do it? is there a service provided by AWS? (I use AWS but I'm not limited to AWS solutions), is this even a good idea?


Solution

  • I use Elastic beanstak to manage my EC2 instances, I use Load balancers, and I use expressJS to server my app.

    You can enable access logs on your load balancer, although I'm not sure if this will record all the information you need. You would need to run something like Amazon Athena against the log files in S3 to query for the specific user's access requests.

    You can attach a Web Application Firewall to your load balancer. In addition to acting as a firewall to block bad requests, you can also configure firewall rules with a "log" action that just log all the request data for matching requests. This can be helpful for getting all the details of specific requests you want to monitor.

    Elastic Beanstalk NodeJS environments like yours also use Nginx as a web proxy on the EC2 instances. One of the best ways to log all the request data you care about is to configure custom logging settings in the Nginx configuration.

    I also recommend configuring Elastic Beanstalk to stream the Nginx logs to AWS CloudWatch Logs. You will then be able to do things like search all the logs for a given time period, filtered by IP address, which is the kind of thing you need when investigating a single user's activity.