Threat Stack CloudTrail Monitoring - Monitor changes to AWS Infrastructure
What is Threat Stack Cloud Trail Feature?
Amazon Web Services uses CloudTrail to put all infrastructure changes into a centralized log. Threat Stack CloudTrail feature set analyzes the CloudTrail logs to give customers a comprehensive and continual audit of changes to their AWS infrastructure against best practices and compliance.
This article covers
- CloudTrail best practices rules and examples
- CloudTrail Alerts
How does Threat Stack Alert on Non-compliant Changes to Infrastructure ?
Threat Stack has built in rules (part of CloudTrail base rule set) that capture several AWS best practices on alert users when non-compliant calls are made to the infrastructure.
Let's take a look at some examples:
Example 1 - AWS Account got Compromised — Attacker Compromising Logs
When an account is compromised, one of the first things that the attackers would do is to stop logging the call and delete existing trails.
Note - Rules here are made with eventName, customers can make any rule based on any EventName or EventSource.
Example 2 - Users running instances in non-standard hidden regions incurring costs
Note - Rules in the above example are made with eventName and region combination.
Example 3 - Are Security Groups getting Created or Changed that would be out of your Security Policy? (example — wide open security groups)
Note - Rules in the above example are made with eventName and specific keys such as AuthorizeSecurityGroupIngress
Alerts on CloudTrail
Users can view CloudTrail alerts on the Alerts page.
- Users can view CloudTrail specific alerts on the CloudTrail tab
- Filter by rules
- Filter based on severities (as set by the built-in rule set)
Clicking on alert will bring up the alert preview pane on the bottom which has these additional details
- When is the API call made?
- Who made the API call?
- Which is the account involved?
- View the raw event
Users can choose to not get alerts on specific users or actions by adding a suppression.