Directory Service Log Forwarding to CloudWatch

Overview

This check validates whether your AWS Directory Service directories are configured to forward domain controller security event logs to Amazon CloudWatch Logs. Log forwarding gives you visibility into authentication events, policy changes, and privilege grants within your Active Directory environment.

Risk

Without log forwarding enabled, you lose visibility into critical Active Directory security events. This can:

• Delay detection of suspicious login attempts or brute-force attacks
• Allow attackers to escalate privileges undetected
• Make forensic investigation and incident response significantly harder
• Result in compliance violations for standards requiring centralized logging

Remediation Steps

Prerequisites

• Access to the AWS Console with permissions to modify Directory Service settings
• A CloudWatch Logs log group (you can create one during setup)

Required IAM permissions

Your IAM user or role needs the following permissions:

• ds:CreateLogSubscription
• ds:DescribeLogSubscriptions
• ds:DescribeDirectories
• logs:CreateLogGroup (if creating a new log group)
• logs:DescribeLogGroups

AWS Console Method

1. Open the AWS Directory Service console
2. In the navigation pane, choose Directories
3. Click on the Directory ID of your target directory
4. Select the Networking & security tab
5. Scroll down to the Log forwarding section
6. Click Enable
7. Either:
   • Select an existing CloudWatch Logs log group, or
   • Create a new log group (recommended naming: /aws/directoryservice/<directory-id>)
8. Click Enable to activate log forwarding

You should see the Log forwarding status change to Enabled.

AWS CLI (optional)

Enable Log Forwarding via CLI

First, identify your directory ID:

aws ds describe-directories \
  --region us-east-1 \
  --query "DirectoryDescriptions[*].[DirectoryId,Name,Type]" \
  --output table

Create a CloudWatch Logs log group (if needed):

aws logs create-log-group \
  --log-group-name /aws/directoryservice/d-1234567890 \
  --region us-east-1

Enable log forwarding:

aws ds create-log-subscription \
  --directory-id d-1234567890 \
  --log-group-name /aws/directoryservice/d-1234567890 \
  --region us-east-1

Replace d-1234567890 with your actual directory ID.

Verify the subscription:

aws ds describe-log-subscriptions \
  --directory-id d-1234567890 \
  --region us-east-1

CloudFormation (optional)

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable log forwarding for AWS Directory Service

Parameters:
  DirectoryId:
    Type: String
    Description: The ID of the directory (e.g., d-1234567890)
    AllowedPattern: ^d-[0-9a-f]{10}$
  LogGroupName:
    Type: String
    Description: CloudWatch Logs log group name
    Default: /aws/directoryservice/logs

Resources:
  DirectoryLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Ref LogGroupName
      RetentionInDays: 365

  DirectoryLogSubscription:
    Type: AWS::DirectoryService::LogSubscription
    DependsOn: DirectoryLogGroup
    Properties:
      DirectoryId: !Ref DirectoryId
      LogGroupName: !Ref LogGroupName

Outputs:
  LogGroupArn:
    Description: ARN of the CloudWatch Logs log group
    Value: !GetAtt DirectoryLogGroup.Arn

Deploy the stack:

aws cloudformation create-stack \
  --stack-name ds-log-forwarding \
  --template-body file://template.yaml \
  --parameters ParameterKey=DirectoryId,ParameterValue=d-1234567890 \
  --region us-east-1

Terraform (optional)

variable "directory_id" {
  description = "The ID of the AWS Directory Service directory"
  type        = string
  # Example: d-1234567890
}

variable "log_group_name" {
  description = "CloudWatch Logs log group name for directory logs"
  type        = string
  default     = "/aws/directoryservice/logs"
}

resource "aws_cloudwatch_log_group" "directory_logs" {
  name              = var.log_group_name
  retention_in_days = 365

  tags = {
    Purpose = "Directory Service Log Forwarding"
  }
}

resource "aws_directory_service_log_subscription" "main" {
  directory_id   = var.directory_id
  log_group_name = aws_cloudwatch_log_group.directory_logs.name
}

output "log_group_arn" {
  description = "ARN of the CloudWatch Logs log group"
  value       = aws_cloudwatch_log_group.directory_logs.arn
}

Apply the configuration:

terraform init
terraform apply -var="directory_id=d-1234567890"

Verification

After enabling log forwarding:

1. Return to the Networking & security tab of your directory
2. Confirm that Log forwarding shows as Enabled
3. Click on the log group link to open CloudWatch Logs
4. Within a few minutes, you should see log streams appearing with security event data

CLI verification commands

Check log subscription status:

aws ds describe-log-subscriptions \
  --directory-id d-1234567890 \
  --region us-east-1

Verify logs are flowing to CloudWatch:

aws logs describe-log-streams \
  --log-group-name /aws/directoryservice/d-1234567890 \
  --region us-east-1 \
  --order-by LastEventTime \
  --descending \
  --limit 5

Additional Resources

• Enable Log Forwarding - AWS Documentation
• Directory Service Incident Response
• CloudWatch Logs User Guide

Notes

• Log retention: Set an appropriate retention period on your CloudWatch Logs log group to manage costs while meeting compliance requirements.
• Access controls: Apply least-privilege access to both the delivery role and log readers to prevent tampering.
• Alerting: Consider creating CloudWatch Alarms or EventBridge rules to alert on high-risk events such as failed authentications or privilege escalations.
• Cross-account logging: For centralized security monitoring, you can stream logs to a central security account using CloudWatch Logs subscriptions.
• Cost consideration: Directory Service log forwarding incurs standard CloudWatch Logs ingestion and storage charges.