Skip to content

Instantly share code, notes, and snippets.

@ross-humphrey

ross-humphrey/cloudtrail-secure-aws-accounts.md

Created April 26, 2021 08:09
Show Gist options
  • Save ross-humphrey/63091ef8ccb3f563b41f1c973e37f646 to your computer and use it in GitHub Desktop.
Save ross-humphrey/63091ef8ccb3f563b41f1c973e37f646 to your computer and use it in GitHub Desktop.
Download ZIP
Leveraging CloudTrail to Secure AWS Accounts
Raw
cloudtrail-secure-aws-accounts.md

Leveraging CloudTrail to Secure AWS Accounts

What is CloudTrail?

  • Enable governance, compliance and operational and risk auditing

  • Records events performed by users, roles and AWS services

  • Includes action events from the console, CLI and any SDK or API

  • Enabled in accounts by default (nothing to do to enable)

  • Gain visibility to view, search , download archive etc - to monitored activies within your accounts

  • IT IS AN AUDIT TRAIL (For the AWS exam) - worth noting

Trails are regional - but can be created in all regions at the same time.

CloudTrail Configuration

Management events - changes, additions etc to services. Data events - specific to data handling within the accounts (such as s3 objects- but not the buckets) S3 Storage and Encrpytion - stored in S3 and encrpyt.

  • The default Trail in Cloudtrail is limited in features and scope.
  • You can go back 90 Days in the default trail.
  • You can see the Acess key within the ‘Event history’ - this will resolve to the user name also.
  • The event is stored down as JSON, the JSON can be parsed.

Creating a custom CloudTrail trail -

  • In the console, go to ‘Create Trail’

  • You can apply a trail to all regions when setting it up. Best practice to apply trail in all regions.

  • Management events - events on resources in the account, you can configure read/write or any combination OR none. Best practice to leave it as ‘All’.

  • Log KMS accounts - will let you log out all KMS events.

  • Insight events - is not covered as part of the exam - Just groups of records that captures lots of write calls on APIs

  • Data events - records of resource operations performed on S3 and / or Lambda . Can specifiy all OR individual lambdas / s3

  • All audit events can be pushed to S3. - Can push all of the logs to the S3.

  • Always encrpyt your S3 Buckets.

  • Enabled log file validation - IMPORTANT. Enables you to check that log files have not been tampered with in any way. If you move these files, it will tell you that they are not a true original copy of the logs. If you enable this option - be sure you are sending it to the ‘final desintation for the log files’.

  • First trail is free, additional ones are paid for. You will however incur costs on S3.

  • Stored in gzip in S3

  • Cloudtrail events can be pushed to Cloudwatch also, this makes it easier to manage than the S3 way of doing things. You can also stream out the cloudwatch events to a lambda (carry out actions) or elasticsearch (dashboard that shows what events being received )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment