TL;DR In this writeup, we’ll talk about how to spot when someone tries to log in to AWS console but it fails to authenticate. While the article is a bit long, please hang in there. It’s part of my Cloud Security assignment (ENPM665)
Introduction
Let’s configure the Cloudtrail, AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
AWS CloudTrail will only show the results of the CloudTrail Event History for the current region you are viewing for the last 90 days and support the AWS services found here. These events are limited to management events with create, modify, and delete API calls and account activity. For a complete record of account activity, including all management events, data events, and read-only activity, you’ll need to configure a CloudTrail trail.
In this writeup, we will create a trail and configure it to send events to CloudWatch Logs. Then use CloudWatch Logs to monitor your account for specific API calls and events. Also we will query CloudTrail logs using Amazon Athena.
Create a Trail in CloudTrail
-
Search for the CloudTrail Service under the Management Tools Section in the console and click
-
Once in the CloudTrail Console, click on Trails on the Left Side of the screen.
-
Then Click on Create Trail, to create our trail for this lab
-
Apply the following settings and create the trail
- Trail name: management-tools-week
- Storage Location: Create new S3 Bucket
- Trail log bucket and folder: Leave as it is aws-cloudtrail-logs-accountid-hash
- Log file SSE-KMS encryption: Disabled (please uncheck the box)
- Log file validation: Enabled
- SNS notification delivery: Leave as it is (Disabled)
- CloudWatch Logs: Enabled
- Log group: New
- Log group name: Enter CloudTrail/DefaultLogGroup
- IAM Role: New
- Role name: Enter CloudTrailRoleForCloudWatchLogs
- Click Next
- Event type: Configure both Management events and Data events
- Management Events: Read, Write, Exclude AWS KMS Events (all checked)
- Data event:
- S3 (leave as it is)
- Click “Add data event type” to configure Lambda Data Events and leave as it is (All regions, All functions)
- Click Next and Create trail
- We now have a trail capturing activity in our AWS Account. Later on, we will search through our trail.
Create CloudWatch Alarms for Security and Network related API activity
In this section, we will use the pre-defined CloudFormation template to create a set of CloudWatch Alarms to monitor for security and network related activity.
-
Launch the following CloudFormation template click here to download the JSON file and upload it in the CloudFormation and create the stack.
-
On the Create stack page, we will click Next.
image
-
In the Specify stack details page, we will specify a valid e-mail address and the LogGroupName we used in step 5 of the previous section.
-
On the next page, leave the default options and click Next.
-
When you see the Create stack button, click on it.
- The CloudFormation template will create various resources, including CloudWatch Alarms and an SNS Topic with a Subscription. After the CloudFormation template deployment is complete, you will receive an SNS Subscription notification. When you receive, confirm the subscription.