CloudTrail logs track actions taken by a user, role, or an AWS service, whether taken through the AWS console or API operations. In contrast to on-premise-infrastructure where something as important as network flow monitoring (Netflow logs) could take weeks or months to get off the ground, AWS has the ability to track flow logs with a few clicks at relatively low cost.
Some basic tracking is enabled by default with AWS CloudWatch and CloudTrail, but you should review the configuration and use this guide to apply the most important best practices.
Most services publish CloudTrail events but only save the most recent events from the past 90 days. In order to save data long term, you’ll need to create a Trail and enable continuous delivery to an S3 bucket. By default, when you create a Trail, it captures data from all regions.
Integrating your Cloudtrail logs into Coralogix is super easy and requires you to simply deploy a Lambda. Integrate your Cloudtrail logs with Coralogix for smarter analytics. Regardless, most alerts in this post will work with any ELK based solution. (Note AWS Open Distro has alerts for ELK as OSS!)
Today’s cloud based applications allow users unprecedented access which. Users can access the application using different end points or locations. It is very important for companies to understand quickly if application activity is hostile or part of normal business. In some companies security organizations will come up with a formal list of requirements for DevOps and engineering in order to satisfy internal risk management or outside auditing in case of regulated industries. Putting formality aside, it is essential for every AWS based company to monitor user, admin and application activities continuously and identify red flags or malicious activity. There is a reason for AWS making Cloudtrail logs available for customers.
In this paper we will show examples of how Coralogix simple but powerful alerts’ capability, combined with AWS Cloudtrail, can help companies implement such security requirements. The first example includes details about the different fields in the alert page. Other example will focus on the use case (unless new alerts fields and options are introduced).
Below is a table with different CloudTrail alerts.
All the alerts below are of type Standard and the alert condition is notify Immediately.
|CloudTrail – Alert for Usage of “root” account||Notify when root account is being used||userIdentity.type:Root AND NOT _exists_:userIdentity.invokedBy AND NOT eventType:AwsServiceEvent|
|CloudTrail – Change bucket policy||Notify when cloudtrail bucket policy has been changed||eventSource:\”s3.amazonaws.com\” AND (eventName:PutBucketAcl OR eventName:PutBucketPolicy OR eventName:PutBucketCors OR eventName:PutBucketLifecycle OR eventName:PutBucketReplication)|
|CloudTrail – AccessDenied||recipientAccountName:(“xxx” OR “yyy”) AND errorCode:”accessdenied”|
|CloudTrail – sourceIPAddress Outside India/US||Notify when source ip is outside india or US||_exists_:sourceIPAddress_geoip NOT sourceIPAddress_geoip.country_name.keyword:/india|united states/|
|CloudTrail – Attempt to delete a certificate and its associated private key||Nofity upon deletion of certificate and its associated private key.||eventName:ExportCertificate AND eventSource:”acm.amazonaws.com”|
|CloudTrail – Attempt to update certificate options (both success and failure)||Nofity when a certificate is being updated whether success or failure in update.||eventName:UpdateCertificate AND eventSource:”acm.amazonaws.com”|
|CloudTrail – Attempt to Create DB with the property ‘publicly accessible’||Notify when a db is been created with public access||publiclyAccessible:true AND eventName:CreateDBInstance|
|CloudTrail – Attempt to update distribution||Notify when there is an attempt to update an aws distribution||eventName.keyword:/(Create.*Distribution|Delete.*Distribution|Update.*Distribution)/|
|CloudTrail – New Admin added||Notify when a new admin has been added to the account||eventName:AddUserToGroup AND requestParameters.groupName:/.*admin.*/|
|CloudTrail – admin privileges granted||Notify when a user gets admin privileges||eventName:AttachUserPolicy AND requestParameters.policyArn:AdministratorAccess|
|CloudTrail – Disabled or scheduled deletion of customer created CMKs||Notify when a customer CMK gets disabled or scheduled for deletion.||eventSource:”kms.amazonaws.com” AND (eventName:DisableKey OR eventName:ScheduleKeyDeletion)|
|Cloudtrail – aws config configuration change||Notify when aws config configuration gets changed.||eventSource:”config.amazonaws.com” AND eventName.keyword:((Stop|Put)ConfigurationRecorder|((Delete|Put)DeliveryChannel))|
|CloudTrail – CloudTrail config changes||Notify when cloudtrail configuration has been changed.||eventName.keyword:(CreateTrail|UpdateTrail|DeleteTrail|StartLogging|StopLogging)|
|CloudTrail – IAM policy changes||Notify when there is a change in IAM policy||eventName.keyword:/(Delete|Put|Create|Attach|Detach)(Group|Role|User)?Policy(Version)?/|
|CloudTrail – Security group changes||Notify when there is a change to security group.||eventName:/(Authorize|Revoke|Create|Delete)SecurityGroup((In|E)gress)?/|
|CloudTrail – Changes to Network Access Control Lists detected||Notify when the ACL has been changed.||eventName.keyword:/(Create|Delete|Replace)NetworkAcl(Entry|Association)?/|
|CloudTrail – Changes to network gateways detected||Notify when there is a change in the network gateway.||eventName.keyword:/(Create|Delete|Attach|Detach)Gateway/|
|CloudTrail – Route table changes detected||Notify when there is a change in the vpc/ec2 route table||eventName.keyword:/(Create|Replace|Delete|Disassociate)Route(Table)?(Association)?/|
|CloudTrail – VPC change detected||Notify when there is a change in the VPC||eventName.keyword:/(Create|Delete|Accept|Reject|Modify|Attach|Detach|Disable|Enable)(Vpc)?(ClassicLink)?(Vpc)?(Attribute|PeeringConnection)?/|
For more information about Cloudtrail logs and other AWS logs, visit our extensive AWS logging guide.
This blog post focused on how to create security alerts based on AWS Cloudtrail logs. It showed some examples of such alerts. There is a vast universe of Cloudwatch logs out there. You will most likely have your own use case and requirements. So, you are encouraged to take the methods and concepts shown here and adapt them to your own needs. If you need help or have any questions, don’t hesitate to reach out to [email protected]. You can learn more about unlocking the value embedded in AWS and other logs in some of our other blog posts.