A Deep Dive into CloudTrail Events for Enhanced Security Monitoring and Alarming
Exploring Key Event Types and Practical Setup Examples, including Security Group Changes, Console Sign-In Failures, and IAM Policy Modifications,
What Is AWS CloudTrail?
AWS CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.
Setting up AWS Cloudtrail
Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail
Type of Cloudtrails Events
Management Events vs Data Events vs Insights Events
Here's a table summarizing the differences between Management Events, Data Events, and Insights Events in AWS CloudTrail:
Aspect | Management Events | Data Events | Insights Events |
Logging Type | Logged by default | Not logged by default | Not logged by default |
Event Type | Control plane operations | Data plane operations | Unusual activity detection |
Scope | Actions on AWS resources | Resource operations | Unusual activity in API usage |
Volume | May vary, typically lower volume | High-volume activities | Low volume, logged only for unusual activity |
Examples | Creating, modifying, or deleting resources | Accessing, updating, or deleting data within a resource | Detecting unauthorized API usage or changes |
Insight Information | Basic details of management operations | Details about resource-level operations | Detailed information about unusual activity |
Logging Control | Logged by default; can be configured | Not logged by default; can be configured | Not logged by default; can be configured |
In our example we are only enabling of Management Events
Creating an Amazon CloudWatch Alarm for Security Group Configuration Changes in AWS
In this example, we will see Creating an Amazon CloudWatch Alarm for Security Group Configuration Changes in AWS
Create a metric filter
In your AWS console search bar
elect the logs group you created earlier
Enter the below Filter Pattern for EC2 security group changes
{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }
Create an alarm
Follow this procedure to create an alarm.
SNS Topic and subscribe to the notification
Confirming SNS Subscription in AWS SNS Topic
After moving to a new tab in your browser, you should receive an email prompting you to subscribe to receive security group change alerts from AWS. Please confirm your subscription. After confirming, verify that the status has changed to confirmed.
Moving back to Create Alaram Page
Changing the Security Group Rule to shoot an Alarm
AWS Cloudtrail Pricing
https://aws.amazon.com/cloudtrail/pricing/
Metric alarm states
A metric alarm has the following possible states
OK
– The metric or expression is within the defined threshold.ALARM
– The metric or expression is outside of the defined threshold.INSUFFICIENT_DATA
– The alarm has just started, the metric is not available, or not enough data is available for the metric to determine the alarm state
Alarm Pricing
You get 10 free alarms and 1,000 free e-mail notifications each month as part of the AWS Free Tier
Key CloudTrail Events To Monitor for Security in AWS
AWS Management Console sign-in failures
{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }
Security group configuration changes
{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }
IAM policy changes
{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}
StopLogging
{($.eventName=StopLogging)}
DeleteTrail
{($.eventName=DeleteTrail)}
UpdateTrail
Attackers may change the multi-regional log into a single region log, which evades the logging for other regions
{($.eventName=UpdateTrail)}