A Deep Dive into CloudTrail Events for Enhanced Security Monitoring and Alarming

A Deep Dive into CloudTrail Events for Enhanced Security Monitoring and Alarming

Exploring Key Event Types and Practical Setup Examples, including Security Group Changes, Console Sign-In Failures, and IAM Policy Modifications,

What Is AWS CloudTrail?

AWS CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.

Setting up AWS Cloudtrail

Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail

Type of Cloudtrails Events

Management Events vs Data Events vs Insights Events

Here's a table summarizing the differences between Management Events, Data Events, and Insights Events in AWS CloudTrail:

AspectManagement EventsData EventsInsights Events
Logging TypeLogged by defaultNot logged by defaultNot logged by default
Event TypeControl plane operationsData plane operationsUnusual activity detection
ScopeActions on AWS resourcesResource operationsUnusual activity in API usage
VolumeMay vary, typically lower volumeHigh-volume activitiesLow volume, logged only for unusual activity
ExamplesCreating, modifying, or deleting resourcesAccessing, updating, or deleting data within a resourceDetecting unauthorized API usage or changes
Insight InformationBasic details of management operationsDetails about resource-level operationsDetailed information about unusual activity
Logging ControlLogged by default; can be configuredNot logged by default; can be configuredNot logged by default; can be configured

In our example we are only enabling of Management Events

Creating an Amazon CloudWatch Alarm for Security Group Configuration Changes in AWS

In this example, we will see Creating an Amazon CloudWatch Alarm for Security Group Configuration Changes in AWS

Create a metric filter

In your AWS console search bar

elect the logs group you created earlier

Enter the below Filter Pattern for EC2 security group changes

{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }

Create an alarm

Follow this procedure to create an alarm.

SNS Topic and subscribe to the notification

Confirming SNS Subscription in AWS SNS Topic

After moving to a new tab in your browser, you should receive an email prompting you to subscribe to receive security group change alerts from AWS. Please confirm your subscription. After confirming, verify that the status has changed to confirmed.

Moving back to Create Alaram Page

Changing the Security Group Rule to shoot an Alarm

AWS Cloudtrail Pricing

https://aws.amazon.com/cloudtrail/pricing/

Metric alarm states

A metric alarm has the following possible states

  • OK – The metric or expression is within the defined threshold.

  • ALARM – The metric or expression is outside of the defined threshold.

  • INSUFFICIENT_DATA – The alarm has just started, the metric is not available, or not enough data is available for the metric to determine the alarm state

Alarm Pricing

You get 10 free alarms and 1,000 free e-mail notifications each month as part of the AWS Free Tier

Key CloudTrail Events To Monitor for Security in AWS

AWS Management Console sign-in failures

{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }

Security group configuration changes

{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }

IAM policy changes

{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}

StopLogging

{($.eventName=StopLogging)}

DeleteTrail

{($.eventName=DeleteTrail)}

UpdateTrail

Attackers may change the multi-regional log into a single region log, which evades the logging for other regions

{($.eventName=UpdateTrail)}

Did you find this article valuable?

Support Beyond DevOps by becoming a sponsor. Any amount is appreciated!