As specified in the [Q2 Roadmap] (https://docs.google.com/spreadsheets/d/1iAL2JR3ndgMmYwojUU0kU8Pm7B7ycRLt_973seREd3M/edit#gid=1107068822&range=C10).

We need appropriate alerts and audit trails so we can learn about and appropriately handle detected attacks and understand the consequences of emergent threats and breaches. This includes being able to know when an attack is taking place and being able to see in the logs what the attack entailed (what attacker accessed, changed, etc.).

Deliverable:
Ensure each component captures audit logs for the following types of events (as appropriate):
• Server alerts and error messages
• User log-on and log-off (successful or unsuccessful)
• System administration activities
• Modification of privileges and access
• Modifications to the application
• Application alerts and error messages
• Configuration changes
• Account creation, modification, or deletion

This is complete. Covered by the following log groups:

• /aws/ecs/elk-oidc-proxy-<deployment-stage> for activity of the login proxy
• AWS account CloudTrail for privilege changes, alerts, logins, and access of the elasticsearch cluster. Use query { $.userIdentity.sessionContext.sessionIssuer.arn = "arn:aws:iam::*:role/elk-oidc-proxy" && $.requestParameters.roleSessionName != "bot@*" }