Embed Size (px)
DESCRIPTION
CloudTrail provides a rich audit trail of the activity in your AWS Environment. In order to maintain compliance with one of the many auditing standards, you need to implement continuous monitoring and demonstrate the ability to provide evidence when needed. Having access to CloudTrail is just the first step. Once you have verified CloudTrail is enabled and configured properly, you will need to ingest the CloudTrail files, parse them, and turn them into actionable information. Webinar topics include: - Setting up tamper resistant archives for CloudTrail - Implementing a centralized bucket for CloudTrail across your organizations - Securely configuring CloudTrail across hundreds of AWS accounts YouTube Link: https://www.youtube.com/watch?v=_mk_qf0U4hI
Citation preview
What is CloudTrail?
• An AWS Service that records each time the AWS API is called• Currently supports 20+ AWS services • http://docs.aws.amazon.com/awscloudtrail/latest/userguide/dochistory.html
• Conveniently everything in AWS goes through the API• Even actions in the Management Console go through the API
• CloudTrail writes files into an S3 bucket• Near real-time (every five minutes)
• Files are in JSON format
Get started at http://aws.amazon.com/cloudtrail/
What CloudTrail Isn’t?
• Logs at the AWS layer only• Doesn’t replace logging at the database, operating
system, or network level
• It is logging - not monitoring• Doesn’t tell you what the event means, when
something is wrong, only records who did what.
• Logs events, not results• Doesn't tell you what changed in the environment as a
result of the event
• Doesn’t log S3/CloudFront file accesses• Use S3/CloudFront access log files for this
Why do I need CloudTrail?
• Monitoring user activity
• Monitoring administrator activity
• Monitoring for misuse and attacks
• Regulatory and Policy Compliance
• Change management & Continuous monitoring
Security at Scale: Logging in AWShttp://media.amazonwebservices.com/AWS_Security_at_Scale_Logging_in_AWS.pdf
How do I turn on CloudTrail?
• Less than 1 minute to enable• Not enabled by default
• Need to setup in each region• Working on support in GovCloud – all other regions supported
• Configure where log files will be delivered• AWS Management Console will setup permissions properly for you
• Option: Setup a lifecycle rule for Glacier• Only if S3 costs are getting onerous (if you are saving 6 years of CloudTrail)
• Caution: retrieval from Glacier is slow AND expensive
• Recommended: Enabled for all regions, not just regions you use• Aggregate into a single bucket across accounts
Demo: Enabling CloudTrail
http://docs.aws.amazon.com/awscloudtrail/latest/
userguide/create_trail_using_the_console.html
Example CloudTrail record
• Compressed, JSON format
– http://jsonprettyprint.com/ to read
• Sub-sections include “userIdentity”
• Resource Id is typically
included in “requestParameters”
• “requestParameters”
always null for read-only API calls
Giving CloudTrail access to S3
CloudTrail needs
your permissions
to write files
into your S3 buckets
http://docs.aws.amazon.com/
awscloudtrail/latest/userguide/aggr
egating_logs_regions_bucket_polic
y.html
Making CloudTrail tamper resistant
• Tamper resistant is not tamper proof!
• Key to this is Segregation of Duties– Owner of S3 bucket will always have ability to delete
• Aggregate CloudTrail– Into a separate account
– Owned by someone else (e.g. security team)
• Restrict permissions on the bucket– Create cross-account roles, use AssumeRole in the API
http://docs.aws.amazon.com/awscloudtrail/latest/
userguide/SharingLogs.html
What can you do with CloudTrail events?
• Detect unauthorized access attempts
• Detect access from new user, IP, location, or country
• Know when someone turns off CloudTrail
• Determine who created or modified an AWS resource• Who started this EC2 Instance, who deleted my EBS volume!
• Look for people using the root user• Don’t use root user, create IAM users
• Find unusual events• New event types I haven’t seen in the last 90 days
• Find stale or unused users or access keys
New Feature: Support for Non-API Events
“CloudTrail records attempts to sign into the AWS Management Console, the AWS Discussion Forums
and the AWS Support Center.”
• Does not log when root user fails login– Use MFA for the root user
• User password lock in your Password Policy– Recommendation: set high enough so users won’t lock
themselves out, but password attacks are useless
– Does create a Denial of Service attack
Example: Logins to AWS Console
Demo: How do I -
• Make sure CloudTrail is enabled?
• Make sure CloudTrail is configured securely?
• Monitor for best practices using CloudTrail
• Find CloudTrail events in my logs
• Get alerts from CloudTrail
http://aws.amazon.com/cloudtrail
/partners/cloudcheckr/
Questions?
Questions on:
• Best Practices
• CloudCheckr
Thank You for Attending
Sign up today for free evaluationat http://cloudcheckr.com
Aaron Newman is the Founder of CloudCheckr (www.cloudcheckr.com)
Please contact me with additional questions at:[email protected]
