AWS CloudTrail Logs: A Security Monitoring Overview

Avatar
graphic that says aws cloudtrail logs

With a vast market share and a wide range of security services for organizations, Amazon Web Services (AWS) is the most prominent cloud service provider. AWS offers countless tools and services, and it’s easy to see how security teams can get overwhelmed with all the different options available to secure their AWS account. 

But one service, AWS CloudTrail, stands out as one of the most practical tools for security governance, threat detection, and response. Plus, it’s not difficult to set up.  

An overview on AWS CloudTrail from a security perspective 

The AWS CloudTrail service provides you with complete visibility into your AWS account from a security auditing, governance, compliance, and risk perspective.

With CloudTrail, each action taken by a user, role, or an AWS service is logged and recorded as an event.

Remember, logging is an essential component of any robust cybersecurity program. 

With the logs generated by CloudTrail, you can:

  • View, search, download, archive, analyze and respond to account activity across your AWS services
  • Gain detailed visibility into user, service and resource activity 
  • Troubleshoot security and operational issues by tracking changes in your accounts
  • Build detective security controls and automate their response around important CloudTrail event activity 

To sum up, CloudTrail allows you to analyze your AWS account to identify who or what took which action, which resources were acted upon, and when the event occurred. CloudTrail is critical for understanding your cloud security posture and provides a wide variety of rich data.

Why CloudTrail logs are key for your monitoring program

When it comes to analyzing events that occur in your AWS environment, CloudTrail logs are like the perfect Swiss Army knife. 

At a high level, there are four primary benefits of leveraging CloudTrail logs for your monitoring program:

1. Take charge of security visibility: As mentioned above, CloudTrail enables you to discover and analyze every single activity (user, role, service, and even API) occurring within your environment. Further, CloudTrail facilitates discovery and troubleshooting of operational and security issues while capturing a detailed history of changes at regular intervals.

2. Compliance and monitoring made simple: CloudTrail can easily be integrated with another AWS service like Amazon CloudWatch so you can alert and expedite your response to any non-compliance event.

3. Automate security: With CloudTrail, you can automate responses to security threats much faster than traditional detection and response systems.

4. Detect data exfiltration (data theft): You can take advantage of CloudTrail to record Simple Storage Service (S3) object-level API events to help detect data exfiltration and perform usage analysis of S3 objects.

Digging a little deeper, there are several ways CloudTrail delivers data for security monitoring. 

Here are the most prominent:

S3 Bucket

S3 Buckets are required to create a new CloudTrail, and can optionally be configured to send messages to an SNS messaging topic when new data is delivered. S3 buckets can be used to initiate data processing pipelines and have increased reliability over using S3 event notifications. CloudTrail will deliver data between five and fifteen minutes of the event occurrence.

CloudWatch Events

CloudWatch Events enables you to analyze CloudTrail data in real-time. When a CloudTrail is created, data automatically begins sending to CloudWatch Events. Data can be processed by using Event Rules to forward information to Lambda functions, Kinesis Streams, and more. One notable drawback here is that each region/account must be set up to centralize the data, and only write-level events are captured.

CloudWatch Logs

CloudTrail can also be sent to a CloudWatch Log group, which takes advantage of processing multi-region data in real-time from a single place. Cost and flexibility may be impacted, however, since only a single subscription filter can be associated with a log group.

Macie and GuardDuty

AWS Macie is a service that uses machine learning on S3 data to identify anomalous activity, while AWS GuardDuty is a broader service that can identify attacker activity (such as reconnaissance) in an account. Enabling these services can deliver quick wins in analyzing CloudTrail data.

Encryption

Since CloudTrail data is sensitive, it’s highly recommended to protect it with KMS encryption.

When creating the CloudTrail, a KMS Key can be associated by passing in the key ID. Additionally, an appropriate policy should be implemented to apply kms:Decrypt permissions on the key to allow users or roles to process the data.

Insights

CloudTrail’s Insights service can help detect higher than normal API call volume on write-based events, such as spikes in resource provisioning, bursts of AWS Identity and Access Management (IAM) actions, or gaps in periodic maintenance activity.  

How to pull in AWS CloudTrail logs into a next gen SIEM like Panther 

Setting up CloudTrail to integrate with Panther is simple and fast. You’ll find more detailed and specific instructions here

But in a nutshell, the process involves four easy steps:

1. Connecting your AWS account to Panther

2. Performing a baseline scan to identify all existing CloudTrails in your account(s)

3. Identifying security issues with built-in detections

4. Sending alerts if non-compliant CloudTrails exist

When it comes to CloudTrail logs best practices, Panther recommends the following: 

Centralize CloudTrail logging: Log all accounts into a single S3 Bucket, with the easiest implementation being an organization-wide trail.


S3 access logging: Enable S3 Access logging and tracking for CloudTrail in order to identify exfiltration.


Object locking: For highly compliant environments, enable S3 Object Locking on your S3 Bucket to ensure data cannot be deleted.


KMS Encryption: Ensure log files at rest are encrypted with a Customer Managed KMS key to safeguard against unwarranted access.

Why Panther

Panther can collect, normalize, and analyze your CloudTrail logs to detect suspicious activity in real-time. Panther’s cloud-native security analytics platform ships with pre-built integrations to make it easy to quickly analyze your data, triage alerts, and remediate incidents. 

With CloudTrail data, Panther enables the following use cases:

  • Analyze and keep track of changes to infrastructure (e.g., ACL changes)
  • Receive real-time alerts to suspicious activity
  • Ingest all your CloudTrail data in one place and gain insights into your CloudTrails logging activity using S3
  • Ensure the most secure configuration possible

With Panther, you get to take advantage of practical built-in policies for continuous monitoring of CloudTrail resources. Or, you can simply write your own detections in Python to fit your internal business use cases. 

Read our documentation on how to use Panther to track events from your CloudTrail.