KSI-MLA-ALA—Authorizing Log Access
Formerly KSI-MLA-08
>Control Description
>NIST 800-53 Controls
>Trust Center Components3
Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.
From the field: Mature implementations express audit log integrity through technical controls — immutable storage with hash chain verification, CloudTrail digest validation, and log pipeline architecture showing collection-to-analysis flow. Log tamper-proofing becomes a verifiable property checked by automated integrity validation, not just a stated commitment in a policy document.
Audit Log Architecture
Architecture expressing log collection, aggregation, storage, and analysis pipeline — shows how integrity is maintained at each stage
Log Integrity Protections
How audit logs are protected from tampering — immutable storage, hash chains, and automated integrity verification
Audit Logging Policy
Human-readable audit logging policy covering event types, retention periods, and tamper protection — documents intent behind log pipeline architecture
>Programmatic Queries
CLI Commands
aws logs describe-log-groups --query "logGroups[].{Name:logGroupName,Retention:retentionInDays,Stored:storedBytes}" --output tableaws logs describe-resource-policies --output json>20x Assessment Focus Areas
Aligned with FedRAMP 20x Phase Two assessment methodology
Completeness & Coverage:
- •Does your log access control model cover all log types — application logs, infrastructure logs, security event logs, audit trails, and database query logs?
- •Are log data sensitivity levels defined for all log sources, or are some log streams accessible without classification?
- •How do you ensure JIT access controls apply to all log access paths — SIEM UI, API queries, direct storage access, and exported log files?
- •Are there log data consumers (monitoring dashboards, alerting systems, third-party integrations) that have standing access to sensitive logs without JIT controls?
Automation & Validation:
- •What automated controls enforce that sensitive log access requires JIT elevation and is automatically revoked after the approved time window?
- •How do you detect unauthorized log access — someone querying logs they should not have access to or accessing logs outside approved JIT sessions?
- •What happens if a user attempts to export or download sensitive log data — is it blocked, logged, or allowed?
- •How do you validate that log access controls actually prevent unauthorized access rather than just logging violations after the fact?
Inventory & Integration:
- •What log management platform enforces access controls, and how does it integrate with your IdP and PAM system for RBAC/ABAC and JIT?
- •How do you maintain a classification inventory of all log sources and their sensitivity levels?
- •Are log access policies defined as code (IAM policies, SIEM role configurations) and version-controlled?
- •How does log access auditing integrate with your SIEM to detect and alert on suspicious log access patterns?
Continuous Evidence & Schedules:
- •How do you demonstrate that log access controls have been consistently enforced over the past 90 days?
- •Is log access audit data (who accessed what logs, when, via what JIT session) available via API for assessor review?
- •How frequently are log access privileges reviewed and right-sized, and what evidence shows each review was completed?
- •What evidence shows that log data sensitivity classifications are reviewed and updated as new log sources are added?
Update History
Ask AI
Configure your API key to use AI features.