With a vast market share and a wide range of security services for organizations, Amazon Web Services (AWS) is the most prominent cloud service provider. AWS offers countless tools and services, and it’s easy to see how security teams can get overwhelmed with all the different options available to secure their AWS account.
But one service, AWS CloudTrail, stands out as one of the most practical tools for security governance, threat detection, and response. Plus, it’s not difficult to set up.
The AWS CloudTrail service provides you with complete visibility into your AWS account from a security auditing, governance, compliance, and risk perspective.
With CloudTrail, each action taken by a user, role, or an AWS service is logged and recorded as an event.
Remember, logging is an essential component of any robust cybersecurity program.
With the logs generated by CloudTrail, you can:
To sum up, CloudTrail allows you to analyze your AWS account to identify who or what took which action, which resources were acted upon, and when the event occurred. CloudTrail is critical for understanding your cloud security posture and provides a wide variety of rich data.
When it comes to analyzing events that occur in your AWS environment, CloudTrail logs are like the perfect Swiss Army knife.
At a high level, there are four primary benefits of leveraging CloudTrail logs for your monitoring program:
1. Take charge of security visibility: As mentioned above, CloudTrail enables you to discover and analyze every single activity (user, role, service, and even API) occurring within your environment. Further, CloudTrail facilitates discovery and troubleshooting of operational and security issues while capturing a detailed history of changes at regular intervals.
2. Compliance and monitoring made simple: CloudTrail can easily be integrated with another AWS service like Amazon CloudWatch so you can alert and expedite your response to any non-compliance event.
3. Automate security: With CloudTrail, you can automate responses to security threats much faster than traditional detection and response systems.
4. Detect data exfiltration (data theft): You can take advantage of CloudTrail to record Simple Storage Service (S3) object-level API events to help detect data exfiltration and perform usage analysis of S3 objects.
Digging a little deeper, there are several ways CloudTrail delivers data for security monitoring.
Here are the most prominent:
S3 Bucket
S3 Buckets are required to create a new CloudTrail, and can optionally be configured to send messages to an SNS messaging topic when new data is delivered. S3 buckets can be used to initiate data processing pipelines and have increased reliability over using S3 event notifications. CloudTrail will deliver data between five and fifteen minutes of the event occurrence.
CloudWatch Events
CloudWatch Events enables you to analyze CloudTrail data in real-time. When a CloudTrail is created, data automatically begins sending to CloudWatch Events. Data can be processed by using Event Rules to forward information to Lambda functions, Kinesis Streams, and more. One notable drawback here is that each region/account must be set up to centralize the data, and only write-level events are captured.
CloudWatch Logs
CloudTrail can also be sent to a CloudWatch Log group, which takes advantage of processing multi-region data in real-time from a single place. Cost and flexibility may be impacted, however, since only a single subscription filter can be associated with a log group.
Macie and GuardDuty
AWS Macie is a service that uses machine learning on S3 data to identify anomalous activity, while AWS GuardDuty is a broader service that can identify attacker activity (such as reconnaissance) in an account. Enabling these services can deliver quick wins in analyzing CloudTrail data.
Encryption
Since CloudTrail data is sensitive, it’s highly recommended to protect it with KMS encryption.
When creating the CloudTrail, a KMS Key can be associated by passing in the key ID. Additionally, an appropriate policy should be implemented to apply kms:Decrypt permissions on the key to allow users or roles to process the data.
Insights
CloudTrail’s Insights service can help detect higher than normal API call volume on write-based events, such as spikes in resource provisioning, bursts of AWS Identity and Access Management (IAM) actions, or gaps in periodic maintenance activity.
Setting up CloudTrail to integrate with Panther is simple and fast. You’ll find more detailed and specific instructions here.
But in a nutshell, the process involves four easy steps:
1. Connecting your AWS account to Panther
2. Performing a baseline scan to identify all existing CloudTrails in your account(s)
3. Identifying security issues with built-in detections
4. Sending alerts if non-compliant CloudTrails exist
When it comes to CloudTrail logs best practices, Panther recommends the following:
Centralize CloudTrail logging: Log all accounts into a single S3 Bucket, with the easiest implementation being an organization-wide trail.
S3 access logging: Enable S3 Access logging and tracking for CloudTrail in order to identify exfiltration.
Object locking: For highly compliant environments, enable S3 Object Locking on your S3 Bucket to ensure data cannot be deleted.
KMS Encryption: Ensure log files at rest are encrypted with a Customer Managed KMS key to safeguard against unwarranted access.
Panther can collect, normalize, and analyze your CloudTrail logs to detect suspicious activity in real-time. Panther’s cloud-native security analytics platform ships with pre-built integrations to make it easy to quickly analyze your data, triage alerts, and remediate incidents.
With CloudTrail data, Panther enables the following use cases:
With Panther, you get to take advantage of practical built-in policies for continuous monitoring of CloudTrail resources. Or, you can simply write your own detections in Python to fit your internal business use cases.
Read our documentation on how to use Panther to track events from your CloudTrail.
