Blog   |   Security   |   April 4, 2016

Making AWS Security Simple, Part 3: CloudTrail Logs

Saving time and allowing security teams to both be more efficient and better educated is vital to success in the cloud. Network security is challenging in cloud environments because the architectures are dynamic, which makes fixed security measures cumbersome and expensive. At the same time, hackers are more sophisticated and increasingly engaged in persistent attacks to compromise the network and cloud that can extend over the course of many months. Despite these concerns, however, security and compliance can be strengthened in cloud deployments.
The purpose of this series is to show how to take simple steps toward saving your security team time and headaches.  Once you have your CloudTrail configured properly and have started monitoring it, the next step is to investigate the activity you are monitoring. If you haven’t done it before it can be tough to figure out where to begin.
Check out Part 1 and Part 2 of the series to see more basic steps you can take. This third post of the series will dig deeper into how to use CloudTrail logs for forensic uses and activity alerts.

Using CloudTrail Logs to Investigate Activity

When you find yourself needing to track down who did what in an AWS account, having to use the AWS Management Console or manually read through the CloudTrail logs is impractical. For instance, say you want to see all the IAM users that have been added in the past month to an AWS account. It is entirely impractical to look through all the log files to find the event CreateUser. Search capability like this requires loading data into a database that can be queried.
Another example: assume that you need to find all IAM policy modifications for the past three months in a specific AWS account. To effectively do this you must first gather up all the AWS events that would result in an IAM policy modification. Next, you would have to find a way to search over 200,000 CloudTrail files (a new file every 5 minutes to 9 different regions).
When investigating activity in an AWS account, we recommend starting with the Security/CloudTrail/Common Searches report. Similar to CloudTrail built-in alerts, this screen is compiled of search options which will help guide you to picking the right options to filter by. This page includes the following searches:

  • Find who created, started, stopped, terminated an EC2 Instance
  • Find AWS management console login attempts
  • Find unauthorized access attempts
  • Find all activity for a specific IAM user
  • Find all activity for a specific IP address
  • Find IAM users created in a time period

For example, if we wanted to see the data from the last option, “Find IAM users created during a time period”, select the date and the hour to begin the search and the date and the hour to end the search and select ‘Search’. CloudCheckr will translate this into the event CreateUser. The results will show any IAM user created during that time span.
You can also find CloudTrail information by searching directly under Security/CloudTrail/Events. This report gives you the ability to group by different options such as User Name, Event Name, IP Address, and Service. You can choose the time period you would like to search in, the response type as well as a specific resource ID. We also provide filtering options on region, service, event name, IAM users, and IP addresses. This gives you the ability to narrow down results in any way you need.
NOTE: CloudCheckr maintains a complete history of CloudTrail. CloudCheckr records meta-data about the events in order to quantify and search the results, but CloudCheckr does not maintain a complete copy of the CloudTrail event. We recommend you retain the copy of you CloudTrail events in S3 for as long as your security policy requires. You can in addition use Glacier for archiving older CloudTrail log files.

Wrapping up CloudTrail Investigating

“CloudCheckr’s best practices notifications ensure that our AWS configurations and policies are systematically optimized. The email alerts notify us every day on exceptions and recommended remedies to balance performance, security and spend.”

– Christopher Adorna CTO, SocialArc

Knowing what to look for and how to investigate efficiently takes a lot of experience.  Using CloudCheckr to provide automated checks and alerts you will save time and avoid the human error aspect of constant manual checks. We are one level deeper, but still have plenty of information to cover on securing your AWS environment. Our next post goes down another level and cover perimeter checks and security groups.
As always, if you want to try out the features and experience this all first-hand, try out the app for free. See how much time and effort we can save you. Don’t believe us, ask our customers!