How does EchelonGraph detect NIST 800-53 AU-9 violations?

EchelonGraph automatically detects NIST 800-53 AU-9 violations using scanner rule NIST-AU-009. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for NIST 800-53 AU-9?

Where are audit logs stored? Same account as production? How are logs protected from modification? Walk me through who has access to delete logs. Show evidence of log integrity verification.

🏛️NIST 800-53 AU-9Rule: NIST-AU-009high

Protection of Audit Information

Description

Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

⚠️ Risk Impact

Logs are the forensic record. Attackers who reach logging infrastructure delete evidence of their actions. Without tamper-resistant logs, attribution and reconstruction fail.

🔍 How EchelonGraph Detects This

NIST-AU-009Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

Ship logs to a separate account + region. Enable S3 Object Lock or equivalent immutability. Restrict log access via separate IAM. Cryptographically sign logs (chain-of-custody).

💀 Real-World Attack Scenario

An attacker compromised an AWS admin user and deleted CloudTrail logs from the same account before being detected. Investigation found that despite extensive cloud logging being 'enabled', the team had no evidence of what the attacker did between compromise and discovery. AU-9 deficiency: 'logs were not protected from unauthorized modification'.

💰 Cost of Non-Compliance

Log tampering during breach: increases forensic cost 3-5× (Mandiant M-Trends 2024). FedRAMP AU-9 deficiency blocks ATO renewal.

📋 Audit Questions

1.Where are audit logs stored? Same account as production?
2.How are logs protected from modification?
3.Walk me through who has access to delete logs.
4.Show evidence of log integrity verification.

🎯 MITRE ATT&CK Mapping

T1070 — Indicator Removal on HostT1562.008 — Disable Cloud Logs

⚡ Common Pitfalls

⛔Logs stored in same account as the systems they record
⛔Log-deletion permissions overly broad — anyone with admin can erase forensics
⛔No cryptographic log signing — modifications can't be detected

📈 Business Value

Tamper-resistant logging is the foundation of forensic capability. Without it, every other monitoring control becomes unreliable in the moment it matters most.

⏱️ Effort Estimate

Manual

16-32 hours log-architecture refactor to centralized + immutable

With EchelonGraph

EchelonGraph monitors logging integrity + alerts on unauthorized deletion attempts

🔗 Cross-Framework References

SOC2-CC7.1PCI-10.5

Automate NIST 800-53 AU-9 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →