AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.
Ingesting AWS Cloudtrail Logs into the Breech Detection Platform will enable the SIEM to categorize logs, ensure every log is ingested and come together and will be further used/analyzed to detect for any specific events/logs that can cause damage to the environment rapidly(to be released) due to the functionality of the SIEM Tool.
1. Create a trail
2. Lets ensure that all logs are stored in a separate bucket. So, while creating a trail lets create a new bucket. As the bucket name should be different and unique based on the AWS nomenclature.
3. Once the trail is created AWS adds its own bucket policy to the bucket created while creating the trail. You can refer to the s3 bucket and check the bucket policy for your reference.
4. Lets create a new Group and user specifically for Cloudtrail log ingestion to Stellar Cyber. The group to create by default doesn’t have any access or no policies will be allocated by the AWS.
Create the user and lets give the programmatic access this way it generates the Access key ID and secret access key for the AWS API.
Now lets create a policy where this user has only access to the s3 bucket that was created while creating the trail.
This way we restrict access to all other buckets.
Lets create our own custom managed policy:
Click on Create Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::$bucketname",
"arn:aws:s3:::$bucketname/*"
]
},
{
"Effect": "Deny",
"NotAction": "s3:*",
"NotResource": [
"arn:aws:s3:::*",
"arn:aws:s3:::*/*"
]
}
]
}
Please ensure the above is pasted into the policy that we will create.
Refer to AWS Documentation for best access control policies.
Once the policy is created. Please attach the policy by selecting to this specific user.
Once the user is created ensure that the CSV for the Access Key ID and Secret Access key is downloaded for forwarding your Customer Success Manager
Addtionally, provide the Folder structure on what logs will be ingested. This way we know what logs are being ingested and based on the cloud trail configuration.
Note: If you have multiple regions. Ensure that the logs are collected from all regions while creating the Cloudtrail configuration.