Friday, 9 February 2018

AWS CloudTrail

Overview
  • Audit trail of all AWS activity
  • Use cases
    • Security audit
    • Debugging
    • Forensics

Trail
  • API calls
    • API calls
    • CLI/SDK
    • Console
  • Non-API
    • AWS Console Sign-Ins
    • AWS Service Events (not directly triggered by API call)
  • Each region has its own trail but may deliver to the same S3 bucket/CloudWatch Logs group
  • "InvokedBy"
    • For API calls made by AWS services (e.g. CloudFormation runs EC2 instance)
  • Event Types
    • Management - control plane (e.g. create S3 bucket)
    • Data - data plane (e.g. GetObject)

Global Services
  • IAM, CloudFront, STS, Route53
  • Events delivered to Trail when it has flag "Include global services" enabled

Regions
  • Trail may be applied to all regions
    • Consistent settings across region 
      • All events delivered to single bucket
      • SNS notification to single topic
    • New regions automatically included
    • Global services included and de-duplicated
      • All come as if from single region
  • Trail may be applied to single region
    • "Include global services" flag available
  • Multiple trails per region
    • One for CSO, CTO, etc.
    • Max 5 

Event Schema
  • Main elements
    • userIdentity
    • eventSource (AWS Service)
    • eventName (API action)
    • sourceIPAddress


Delivery
  • Up to 15 minutes behind the actual event
  • Every 5 minutes
  • Optional SNS notification that the file was delivered
  • Destination
    • S3 bucket
      • Key: 23333_CloudTrail_ap-northeast-_20150801T0210Z_Mu0KsOhtZZ.json.gz 
    • CloudWatch Logs

LogFileValidation
  • Uses SHA-256 (SHA-256 + RSA for signing)
  • Every hour delivers digest file
    • List of all hashes of all files
    • Signed with Private Key (you can use public key do validate)
    • Contains signature of previous digest file
      • chaining
    • Delivered to S3 bucket (different folder)

Encryption
  • By default encrypted with SSE-S3
  • Can switch to SSE-KMS if needed

CloudWatch Logs Integraion
  • Update trail 
    • Specify CloudWatch Logs Group and Role
  • Allows to create filters and Alarms
    • Examples
      • Console Sign-ins
      • Authorization Failure from API users
      • CloudTrail got disabled
      • Security Group changes

Write Once Storage
  • Good fit S3 bucket versioning + MFA delete 

Alerting
  • SNS/Lambda
  • Third Party Tools 
    • Alert Logic Managers
    • LogEntries
    • LogStash
at

No comments:

Post a Comment