Threat Stack CloudTrail Feature Set - Audit changes to AWS Infrastructure
What is Threat Stack Cloud Trail Feature?
Amazon Web Services uses CloudTrail to put all infrastructure changes into a centralized log. Threat Stack CloudTrail feature set analyzes the CloudTrail logs to give customers a comprehensive and continual audit of changes to their AWS infrastructure against best practices and compliance.
This article covers
- CloudTrail best practices rules and examples
- CloudTrail Alerts
How does Threat Stack Alert on Non-compliant Changes to Infrastructure ?
Threat Stack has built in rules (part of CloudTrail base rule set) that capture several AWS best practices on alert users when non-compliant calls are made to the infrastructure.
Let's take a look at some examples:
Example 1 - AWS Account got Compromised — Attacker Compromising Logs
When an account is compromised, one of the first things that the attackers would do is to stop logging the call and delete existing trails.
Note - Rules here are made with eventName, customers can make any rule based on any EventName or EventSource.
Example 2 - Users running instances in non-standard hidden regions incurring costs
Note - Rules in the above example are made with eventName and region combination.
Example 3 - Are Security Groups getting Created or Changed that would be out of your Security Policy? (example — wide open security groups)
Note - Rules in the above example are made with eventName and specific keys such as AuthorizeSecurityGroupIngress
Alerts on CloudTrail
Users can view CloudTrail alerts on CloudTrail tab on the alerts page. Users can view, filter based on severities (as set by the built-in rule set) and by rules.
Clicking on alert will bring up the alert preview pane on the bottom which has these additional details
- When is the API call made?
- Who made the API call?
- Which is the account involved?
- View the raw event
Users can choose to not get alerts on specific users or actions by adding a suppression.