AWS Cloudtrail Integration Guide With Breach Detection

AWS Cloudtrail Integration Guide With Breach Detection


Overview

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.

Ingesting AWS Cloudtrail Logs into the Breech Detection Platform will enable the SIEM to categorize logs, ensure every log is ingested and come together and will be further used/analyzed to detect for any specific events/logs that can cause damage to the environment rapidly(to be released) due to the functionality of the SIEM Tool.

WHAT WE NEED

  1. Folder Structure of the S3 bucket created while creating the CloudTrail. 
  2. API Key and Secret – generated while creating the user 

WHAT YOU NEED

  1. Access to the AWS Portal
  2. User Policy who logged in has the admin role to configure and change on the console. 

Cloud Trail Integration


1. Create a trail


2. Lets ensure that all logs are stored in a separate bucket. So, while creating a trail lets create a new bucket. As the bucket name should be different and unique based on the AWS nomenclature. 



3. Once the trail is created AWS adds its own bucket policy to the bucket created while creating the trail. You can refer to the s3 bucket and check the bucket policy for your reference. 



4. Lets create a new Group and user specifically for Cloudtrail log ingestion to Stellar Cyber. The group to create by default doesn’t have any access or no policies will be allocated by the AWS. 


Create the user and lets give the programmatic access this way it generates the Access key ID and secret access key for the AWS API.




Now lets create a policy where this user has only access to the s3 bucket that was created while creating the trail.

This way we restrict access to all other buckets. 


Lets create our own custom managed policy: 

Click on Create Policy: 

{

   "Version": "2012-10-17",

   "Statement": [

       {

           "Effect": "Allow",

           "Action": "s3:*",

           "Resource": [

               "arn:aws:s3:::$bucketname",

               "arn:aws:s3:::$bucketname/*"

           ]

       },

       {

           "Effect": "Deny",

           "NotAction": "s3:*",

           "NotResource": [

               "arn:aws:s3:::*",

               "arn:aws:s3:::*/*"

           ]

       }

   ]

}

Please ensure the above is pasted into the policy that we will create. 

Refer to AWS Documentation for best access control policies. 





Once the policy is created. Please attach the policy by selecting to this specific user. 















Once the user is created ensure that the CSV for the Access Key ID and Secret Access key is downloaded for forwarding your Customer Success Manager


Addtionally, provide the Folder structure on what logs will be ingested. This way we know what logs are being ingested and based on the cloud trail configuration. 



Note: If you have multiple regions. Ensure that the logs are collected from all regions while creating the Cloudtrail configuration.






    • Related Articles

    • Office 365 Integration with Breach Detection Service (Latest Version)

      Overview Office 365 is a critical part of your infrastructure. The Pulse Breach Detection platform provides API based integration with Office 365 & Azure AD to provide visibility into system changes, file sharing and authentication related events ...
    • 3 1 Breach Detection System Release Notes

        3. Highlights  Amazing new navigation menu and dashboard to match day to day operation workflow and provide intuitive navigation 4 new detections to further enhance cyber safety 5+ new data source capability added to gain even more visibility over ...
    • AlienVault USM Anywhere Customer Quick Start Guide

      Summary This document is intended as a step by step guide for new customer implementations of USM Anywhere with an introduction to the incident ticketing process and interacting with the SOC.  The solution and service are deployed in phases. The ...
    • CyFlare SOC In a Box Quick Start Guide

      Deployment Overview Your appliance has been pre-configured based on the information provided at the time of your order for rapid deployment into your environment. The deployment consists of the following high level steps: Configure Firewall Rules ...
    • XDR G SUITE INTEGRATION

         Pre-Requisites: You will need Domain Administrator Privileges to configure the G-Suite Integration within BDS.   Preparation Before configuring G-Suite in data processor, user would need to enable this feature in the google admin dashboard. 1. ...