What US federal customers need to know about memorandum M-21-31

This blog was updated October 2023 to provide new resources and guidance. 

The US Office of Management and Budget published M-21-31, a memorandum for federal government agencies to define event logging requirements related to cybersecurity incidents. These guidelines aim to support the detection, investigation, and remediation of cyber incidents on federal information systems. The memorandum defines various event logging (EL) tiers and the log data that must be captured for various log categories. EL1 is defined by a basic rating, in which logging requirements of the highest criticality are to be captured. EL2 and EL3 describe further event logging maturity levels which build on EL1.

In this blog post, learn the services from Amazon Web Services (AWS) that have been called out explicitly in the memorandum for logging and retention requirements at the EL1 level, and the resources you can use to set up these services to capture the required log data. Note, however, that there are other requirements to meet EL1 that are beyond the scope of this blog post.

M-21-31 logging requirements for the EL1 tier for federal AWS customers

For AWS federal customers, logs from the following AWS services are required to be captured at the EL1 level. Agencies and organizations must retain the logs from these services for 30 months: 12 months in “hot” storage—storage can be accessed instantly—and another 18 months in “cold” storage that can be retrieved upon request. Customers can use Amazon Simple Storage Service (Amazon S3) Intelligent Tiering for the hot storage, and Amazon S3 Glacier for the colder storage tiers.

These are the AWS services listed in the M-21-31 memorandum that require the capture and storage of log data:

• AWS CloudTrail
• Amazon CloudWatch
• AWS Config
• Amazon S3 Access Logs
• Amazon Virtual Private Cloud (Amazon VPC) Flow Logs
• AWS WAF Logs
• AWS Shield
• Amazon GuardDuty
• AWS Security Hub

Logs from these services need to be enabled in all AWS Regions and accounts that are within scope. Logs should also be shipped to a centralized repository in the formats prescribed in Appendix A of the memorandum. It is recommended that this be a simple centralized logging account that is dedicated to receiving and storing logs, so customers can store all their logs in a consolidated repository designed to be secure for analysis and auditing. Often, customers normalize and add query functionality by using services like Amazon OpenSearch Service which can make it more simple to access logs later. You can learn more about this in the blog post “How US federal agencies can use AWS to improve logging and log retention.” Or, customers can use a third-party security information and event management (SIEM) product.

Additionally, EL1 requires that operating system (OS) and application logs be captured and stored. This can be accomplished a number of ways, but utilizing the Amazon CloudWatch agent to collect and ingest these logs can help with this.

Streamline event logging with AWS Control Tower and the Landing Zone Accelerator on AWS  

Many of these logs from AWS services are already captured and shipped to a centralized logging account as part of many AWS management and governance frameworks. This includes those deployed using AWS Control Tower and/or the Landing Zone Accelerator on AWS which can speed up the deployment of a secure, multi-account AWS environment, called a landing zone. For new or existing deployments, the centralized logging capability of AWS Control Tower and the Landing Zone Accelerator on AWS is the recommended method to capture the AWS logs called out in the EL1 requirement. These frameworks help automate the deployment of secure, resilient, and scalable cloud foundations to accelerate the path to compliance. Capturing these logs is also foundational to meeting EL2 and EL3 requirements.

While AWS Control Tower or AWS Landing Zone Accelerator on AWS can help you meet many of the logging requirements, agencies and organizations must still make sure that each service is compliant in its logging, formatting, and storage requirements for each service as per the memorandum.

Resources to configure event logging in AWS

If choosing to use AWS Control Tower and/or the Landing Zone Accelerator on AWS, we provide example best practices configurations in the solution to help you align with M-21-31 requirements. These are available in both the aws-best-practices and aws-best-practices-govcloud-us sample configurations. The configurations will turn on logging for the services called out in the memorandum and set the retention of most logs. If using Control Tower, you’ll also need to set the Control Tower S3 bucket retention for logging to 1000 days in addition to configuring the LZA. More details on how to set this configuration can be found in the AWS Control Tower User Guide.

If you are not using the Landing Zone Accelerator on AWS, you can still configure these logs for each service manually:

1. AWS CloudTrail: Creating a trail for an organization

2. Amazon CloudWatch: Cross-Account Cross-Region Dashboards with Amazon CloudWatch

3. AWS Config: Multi-Account Multi-Region Data Aggregation

4. Amazon S3 Access Logs: Logging requests using server access logging

5. Amazon VPC Flow Logs: How to enable VPC Flow Logs automatically using AWS Config rules

6. AWS WAF Logs: Logging web access control list (ACL) traffic in AWS WAF

7. AWS Shield: With AWS Shield Standard, you get always-on heuristics-based network flow monitoring and inline mitigation against common, most frequently occurring network and transport layer distributed denial-of-service (DDoS) attacks. This filtering is transparent to the AWS customer as these protections are applied broadly by AWS outside of the customer’s responsibility.

8. Amazon GuardDuty: Managing GuardDuty accounts with AWS Organizations

9. AWS Security Hub: Setting up AWS Security Hub

More resources to support event logging in AWS

Learn how to get started with AWS Control Tower and check out the Landing Zone Accelerator on AWS solution.

Find out how US federal agencies can use AWS to improve logging and log retention, read how AWS can help your US federal agency meet the executive order on improving the nation’s cybersecurity, and discover how to use AWS Security Hub and Amazon OpenSearch Service for SIEM.

For more support, check out the AWS Government Competency Partners that have demonstrated the ability to help government customers accelerate their migration of applications and legacy infrastructure to AWS.

Read more about AWS for federal customers:

• How the US DOJ Tax Division built a remote telework application in six weeks with AWS
• From open data to machine learning, making 1950 Census data available with AWS
• AWS announces low-to-no cost security services for federal political campaigns and committees
• How to implement CNAP for federal and defense customers in AWS
• Architecture framework for transforming federal customer experience and service delivery
• Move data in and out of AWS GovCloud (US) with Amazon S3
• How the cloud enables transformational citizen experiences

Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.

Please take a few minutes to share insights regarding your experience with the AWS Public Sector Blog in this survey, and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.