Get Started with CloudTrail Alerting

Follow

Threat Stack CloudTrail Monitoring - Monitor changes to AWS Infrastructure 

 

What is Threat Stack Cloud Trail Feature?

Amazon Web Services uses CloudTrail to put all infrastructure changes into a centralized log.  Threat Stack CloudTrail feature set analyzes the CloudTrail logs to give customers a comprehensive and continual audit of changes to their AWS infrastructure against best practices and compliance.

This article covers

  • CloudTrail best practices rules and examples
  • CloudTrail Alerts

How does Threat Stack Alert on Non-compliant Changes to Infrastructure ?

Threat Stack has built in rules (part of CloudTrail base rule set) that capture several AWS best practices on alert users when non-compliant calls are made to the infrastructure.  

Let's take a look at some examples:

Example 1 - AWS Account got Compromised — Attacker Compromising Logs

When an account is compromised, one of the first things that the attackers would do is to stop logging the call and delete existing trails.

 

Note - Rules here are made with eventName, customers can make any rule based on any EventName or EventSource.

 

Example 2 - Users running instances in non-standard hidden regions incurring costs

Note - Rules in the above example are made with eventName and region combination.

 

Example 3 - Are Security Groups getting Created or Changed that would be out of your Security Policy? (example — wide open security groups)

 

Note - Rules in the above example are made with eventName and specific keys such as AuthorizeSecurityGroupIngress 

Alerts on CloudTrail

Users can view CloudTrail alerts on the Alerts page.  

  1. Users can view CloudTrail specific alerts on the CloudTrail tab
  2. Filter by rules
  3. Filter based on severities (as set by the built-in rule set)

CouldTrail_image.png

 

Clicking on alert will bring up the alert preview pane on the bottom which has these additional details

  • When is the API call made?
  • Who made the API call?
  • Which is the account involved?
  • View the raw event

event_json.png  

Users can choose to not get alerts on specific users or actions by adding a suppression. 

CT_suppression_.png

 Click for more on suppressions. 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.