Previously, I alluded to a change in my professional direction. I’m now focused on managing security operations in the cloud. To that end, I’m going to write a series of posts on the atomic pieces of what a cloud security operations portfolio looks like. As I live in the AWS cloud, these posts will be focused on the various AWS services. However, the security operations posts that deal more with theory or philosophy should apply to Azure, GCP, or other cloud environments.
This post covers AWS CloudTrail
What is CloudTrail?
I like to think of CloudTrail as Syslog for the AWS cloud: when it is enabled, all AWS API events are logged to an S3 bucket.
CloudTrail, therefore, gives you the ability to log every action taken in your AWS account. This is necessary for governance, compliance, auditing, and investigation. CloudTrail underpins nearly all of AWS’s security services, and most third-party security tools I’m aware of leverage CloudTrail to provide value.
All actions that users, accounts, services, or other entities - principals in AWS parlance - perform in AWS are mapped to AWS API calls. Check out the AWS Documentation, or play around with AWS CLI for more information on all API calls.
Management vs Data Events
There is a difference between the events generated by management (or control plane) activities - think the creation of resources within your account - versus the events generated on or within the resource itself (or data plane).
I like to keep the distinction in my head by thinking of the creation of an S3 bucket as a control plane operation while any activities that get, put, or list an object in that bucket would be data plane operations. These generate Management and Data events, respectively.
How Do I Enable CloudTrail?
Enabling CloudTrail is easy - it’s enabled when you create your AWS account. Open the CloudTrail Console and select Event History to view the most recent events. This view will, by default, hide read-only events, so if nothing is displayed, simply remove the filter at the top of the events list.
Storing CloudTrail Events Long-Term
CloudTrail is gratis for viewing and downloading the trailing 90 days of account activity. This might be fine for your use case. If you need long-term storage to support GRC, auditing, and investigation capabilities, it is possible to create a trail that will deliver management events to an S3 bucket.
You can then use a log analytics tool or CloudTrail Insights to analyze your logs as you see fit. More to come on this.
It is also important to note that enabling a trail will feed all CloudTrail events from all regions in your account into the trail’s S3 bucket. Without enabling a trail to deliver this regional data, you would have to investigate the Event History for each region in your account!
This was hopefully a useful, albeit basic, CloudTrail primer. More to come on the topic of querying CloudTrail trails to find evidence of activity within an account or accounts.