{"id":2381,"date":"2024-01-10T22:21:44","date_gmt":"2024-01-10T22:21:44","guid":{"rendered":"https:\/\/www.maghilda.com\/staging\/9669\/?p=2381"},"modified":"2024-01-10T22:25:34","modified_gmt":"2024-01-10T22:25:34","slug":"8-tips-for-aws-cloudtrail-for-security-monitoring-and-best-practices","status":"publish","type":"post","link":"https:\/\/www.maghilda.com\/staging\/9669\/8-tips-for-aws-cloudtrail-for-security-monitoring-and-best-practices\/","title":{"rendered":"8 Tips for AWS CloudTrail for security monitoring and best practices"},"content":{"rendered":"\n

1. CloudTrail is turned on by default and will store logs in the CloudTrail portal for 90 days. To extend the retention of the logs past 90 days, you need to configure a trail to send the logs to an S3 bucket. Additionally, you can also send the logs to CloudWatch to monitor your trail logs and notify you when specific activity occurs. Make sure to minimize access to the S3 bucket that CloudTrail writes to prevent destruction of logs. See the HOWTO section below on how to Enable Object Lock on the S3 bucket.<\/p>\n\n\n\n

2. By default only Management events (API calls that create\/delete\/start or stop a service or make a call into an existing service that is running) are recorded. This includes calls made by using the AWS management console, AWS SDKs, command line tools, and higher level AWS services. If you want to obtain Data events (paid service), such as API calls to retrieve\/store\/query S3 data, calls to Lambda functions, and Database API calls, you must create a Trail and enable optional events. Although there is a cost associated with enabling Data Events, I highly recommend doing so to get detailed insights into your events.<\/p>\n\n\n\n

3. Enable CloudTrail Log File Integrity. This gives you a cryptographic signature to ensure the logs you have received are not tampered, and can be verified easily with the AWS CLI. It will also give you a way to prove logs weren\u2019t deleted as you can use the public key to validate the digest file after the log files are delivered.<\/p>\n\n\n\n

4. Most resources in AWS are region specific. However, CloudTrail is configured to be global by default i.e. it is enabled in all AWS regions. Ensuring this default will enable more visibility and automatically track data from new Regions as they come online or can be alerted upon if the other regions are not being used but there is an activity. Disabling multi region logging gives a bad actor free reign in every region except for the one the trail was created in.<\/p>\n\n\n\n

5. Encrypt CloudTrail logs using server side encryption using KMS (SSE-KMS) instead of the S3 managed server side encryption (SSE-S3) to control key rotation, obtain auditing visibility into key usage and control who can read the CloudTrail log files within your organization.<\/p>\n\n\n\n

6. Set up an organization trail to monitor all of the logs generated by the AWS accounts within an\u00a0AWS Organization. AWS Organizations allows you to centrally manage the access permissions of users in all of the accounts in the organization, and can be\u00a0set up\u00a0at no additional cost. Organizations are recommended when your team needs to manage many different AWS accounts by governing your ever-changing environment and enforce configurations on your primary and member accounts.<\/p>\n\n\n\n

7. Implement a powerful search capability with CloudTrail, like an ELK cluster, Splunk, or a cloud service like Loggly or Papertrail as these integrations allow you to quickly add and remove filters to explore your data. Segment it from your production environment. If you\u2019re using a Lambda function to process these logs, make sure the Lambda function used to process logs cannot be tampered with by your production users and roles.<\/p>\n\n\n\n

8. Minimize access to the CloudTrail API. If a key or role is compromised with write access to any CloudTrail API actions (DeleteTrail, StopLogging, UpdateTrail), bad things could happen and can go undetected for a long time. For example, an attacker can run the following commands with the compromised account to cover their steps
<\/p>\n\n\n\n

\u2014 delete trail\naws cloudtrail delete-trail --name <your-trail-trail><\/code><\/pre>\n\n\n\n
\u2014 disable logging\naws cloudtrail stop-logging --name <your-trail-trail><\/code><\/pre>\n\n\n\n
- disable multi-region and global services\u00a0logging\naws cloudtrail update-trail --name <your-trail-trail> --no-is-multi-region-trail --no-include-global-service-events<\/code><\/pre>\n\n\n\n
Hence, grant least privileges to your users and roles. AWS suggests granting AWSCloudTrail_ReadOnlyAccess<\/strong><\/a> policy which provides permissions to view the the logs, including recent events and event history. This policy also allows to view existing trails, event data stores, and channels. Roles and users with this policy can download the event history<\/a>, but they can’t create or update trails, event data stores, or channels. You can further restrict with the policies below <\/p>\n\n\n\n
HOWTO: Set up AWS CloudTrail Trails and extract logs on your local machine<\/h5>\n\n\n\n
Prerequisities<\/h6>\n\n\n\n