>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

AU-3(1)Content of Audit Records | Additional Audit Information

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Generate audit records containing the following additional information: organization-defined additional information.

>DoD Impact Level Requirements

FedRAMP Parameter Values

AU-3 (1) [session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]

Additional Requirements and Guidance

AU-3 (1) Guidance: For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.

>Discussion

The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements.

This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it more difficult to locate information of interest, or increase the risk to individuals' privacy.

>Programmatic Queries

Beta

Related Services

AWS CloudTrail
AWS Config
CloudWatch Logs

CLI Commands

Enable CloudTrail event logging with additional audit information fields
aws cloudtrail create-trail --name audit-trail --s3-bucket-name compliance-bucket --include-global-service-events --region us-east-1
Configure CloudTrail to log management and data events with enhanced metadata
aws cloudtrail put-event-selectors --trail-name audit-trail --event-selectors ReadWriteType=All,IncludeManagementEvents=true --region us-east-1
Create CloudWatch log group for centralized audit record aggregation
aws logs create-log-group --log-group-name /aws/cloudtrail/audit-logs
Enable CloudTrail Insights for automatic detection of unusual activity patterns
aws cloudtrail put-insight-selectors --trail-name audit-trail --insight-selectors InsightType=ApiCallRateInsight --region us-east-1
Open AWS ConsoleDocumentation

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AU-3(1) (Additional Audit Information)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AU-3(1)?
  • How frequently is the AU-3(1) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AU-3(1)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AU-3(1) requirements.
  • What automated tools, systems, or technologies are deployed to implement AU-3(1)?
  • How is AU-3(1) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AU-3(1) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AU-3(1)?
  • What audit logs, records, reports, or monitoring data validate AU-3(1) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AU-3(1) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AU-3(1) compliance?

Ask AI

Configure your API key to use AI features.