Threat Stack provides a secure integration with your Amazon Web Services (AWS) account to monitor changes to your infrastructure through CloudTrail. For more information about setting up a CloudTail integration, please review the AWS Integrations Overview article.
This article covers the following:
- CloudTrail rules best practices and examples
- CloudTrail alerts
AWS CloudTrail monitoring is one way Threat Stack comprehensively monitors your infrastructure and workload. Using Threat Stack’s CloudTrail integration, you can be alerted on changes to your instances, security groups, S3 buckets, and access keys. You can also determine whether any of these changes had adverse effects on your systems.
If you have multiple AWS accounts, you can see across accounts to track risk in the Threat Stack Cloud Security Platform (CSP). With CloudTrail monitoring enabled, you can reduce the exposure window of an attack or an insider threat.
Threat Stack has built-in rules (part of the CloudTrail Base Rule Set) that capture several AWS best practices, alerting users when non-compliant calls are made to their infrastructure.
Let's review some examples below.
Example 1: AWS account was compromised with the attacker compromising logs
When an account is compromised, one of the first things the attackers would do is to stop logging the call and delete existing trails. The Cloud Trail Admin Activity ruleset monitors administrator activity, including updates to trails and creation of new trails.
This rule was created with the "eventName" as the parameter for the rule filter. You can create any rule based on any "eventName" or "eventSource".
Example 2: Users running instances in non-standard hidden regions incurring costs
The ruleset in this example monitors and alerts you when an instance is launched into a non-standard region.
This rule was created with the "eventName" and region combination as parameters for the rule filter.
Example 3: Are security groups getting created or changed outside of your security policy?
The ruleset in this example monitors and alerts you when a security group is changed.
This rule was created with the following "eventName" parameter keys:
CloudTrail alerts appear on the Alerts page.
- Clicking the CloudTrail tab will display a histogram and a list of all active CloudTrail alerts.
- Clicking the expand / collapse button will display the Filter dialog. For additional information about alert filtering options, please review the Alert View article.
- Clicking List View will display alerts by severity level.
Select the image to enlarge it.
Clicking an alert will display the alert preview pane along with the following information:
- The date and time of the API call
- The user name that made the API call
- The account associated with the API call
- Clicking the View Contributing Events link displays the last five contributing events that caused the alert.
- In this example, there was only one contributing event.
- Clicking the View/Edit Rule link displays an Edit CloudTrail Rule dialog, enabling you to view and update the following fields:
- The rule name
- The alert title
- Filter options
- Suppression settings
You can choose to not get alerts on specific users or actions by adding a suppression. For additional information on suppressing alerts, please review How do I Suppress an Alert? article.