๐ AWS 1x1 - ๐๐น๐ผ๐๐ฑ๐ง๐ฟ๐ฎ๐ถ๐น
Discover malicious behavior in your account by tracking all changes that are made to your infrastructure โ
Discover malicious behavior in your account by tracking all changes that are made to your infrastructure โ
๐ง๐ต๐ฟ๐ฒ๐ฎ๐ฑ ๐ข๐๐ฒ๐ฟ๐๐ถ๐ฒ๐ ๐งต
โข Importance of audit logging
โข The Basics
โข Structure of Audit Logs
โข Trails
โข Encryption & Compliance
โข Event Types
โข Filtering
โข Identity Types
{ 1 | 15 }
โข Importance of audit logging
โข The Basics
โข Structure of Audit Logs
โข Trails
โข Encryption & Compliance
โข Event Types
โข Filtering
โข Identity Types
{ 1 | 15 }
๐ช๐ต๐ ๐ฑ๐ผ ๐ ๐ป๐ฒ๐ฒ๐ฑ ๐๐ต๐ถ๐?
There's a high chance that your infrastructure will be under attack at some point in the future. This grows with your product and the complexity of your infrastructure.
If something is compromised, you're in need of audit logs.
{ 2 | 15 }
There's a high chance that your infrastructure will be under attack at some point in the future. This grows with your product and the complexity of your infrastructure.
If something is compromised, you're in need of audit logs.
{ 2 | 15 }
And that's where CloudTrail comes in.
It tracks all activities that are related to infrastructure changes in your account and keeps this information in the form of audit logs.
Those logs contain all information: ๐๐ต๐ผ did ๐๐ต๐ฎ๐ ๐๐ต๐ฒ๐ป & ๐๐ต๐ฒ๐ฟ๐ฒ!
{ 3 | 15 }
It tracks all activities that are related to infrastructure changes in your account and keeps this information in the form of audit logs.
Those logs contain all information: ๐๐ต๐ผ did ๐๐ต๐ฎ๐ ๐๐ต๐ฒ๐ป & ๐๐ต๐ฒ๐ฟ๐ฒ!
{ 3 | 15 }
Each of these activities is recorded as an ๐๐๐ฒ๐ป๐, which is a JSON object containing all needed information.
You can browse them at ๐๐น๐ผ๐๐ฑ๐ง๐ฟ๐ฎ๐ถ๐น๐ ๐๐๐ฒ๐ป๐ ๐๐ถ๐๐๐ผ๐ฟ๐!
eu-central-1.console.aws.amazon.com
{ 4 | 15 }
You can browse them at ๐๐น๐ผ๐๐ฑ๐ง๐ฟ๐ฎ๐ถ๐น๐ ๐๐๐ฒ๐ป๐ ๐๐ถ๐๐๐ผ๐ฟ๐!
eu-central-1.console.aws.amazon.com
{ 4 | 15 }
๐ง๐ฟ๐ฎ๐ถ๐น๐
You can decide for yourself which Events you want to track by creating ๐๐ฟ๐ฎ๐ถ๐น๐.
A trail will forward your events to an S3 bucket.
Additionally, you can also send them to CloudWatch.
(great if also using subscription filters to react to events)
{ 5 | 15 }
You can decide for yourself which Events you want to track by creating ๐๐ฟ๐ฎ๐ถ๐น๐.
A trail will forward your events to an S3 bucket.
Additionally, you can also send them to CloudWatch.
(great if also using subscription filters to react to events)
{ 5 | 15 }
๐๐ป๐ฐ๐ฟ๐๐ฝ๐๐ถ๐ผ๐ป & ๐๐ผ๐บ๐ฝ๐น๐ถ๐ฎ๐ป๐ฐ๐ฒ
CloudWatch also enables you to verify the log file integrity - so you can be sure there was no tampering.
Furthermore, log event objects can be automatically encrypted by using a key from KMS.
{ 6 | 15 }
CloudWatch also enables you to verify the log file integrity - so you can be sure there was no tampering.
Furthermore, log event objects can be automatically encrypted by using a key from KMS.
{ 6 | 15 }
For securing your data even more, you can make use of S3's retention modes & object locks
With S3's ๐ชrite-๐ขnce-๐ฅead-๐ any (WORM) model you can enforce that objects can't be deleted or modified for a given period of time.
By that, you can enforce compliance rules
{ 7 | 15 }
With S3's ๐ชrite-๐ขnce-๐ฅead-๐ any (WORM) model you can enforce that objects can't be deleted or modified for a given period of time.
By that, you can enforce compliance rules
{ 7 | 15 }
CloudTrail records different types of audit events.
There are ๐ ๐ฎ๐ป๐ฎ๐ด๐ฒ๐บ๐ฒ๐ป๐, ๐๐ฎ๐๐ฎ & ๐๐ป๐๐ถ๐ด๐ต๐ events for the actions that are performed by users.
{ 8 | 15 }
There are ๐ ๐ฎ๐ป๐ฎ๐ด๐ฒ๐บ๐ฒ๐ป๐, ๐๐ฎ๐๐ฎ & ๐๐ป๐๐ถ๐ด๐ต๐ events for the actions that are performed by users.
{ 8 | 15 }
๐ ๐ฎ๐ป๐ฎ๐ด๐ฒ๐บ๐ฒ๐ป๐ ๐๐๐ฒ๐ป๐๐
As the type already suspects, those events are related to infrastructure management operations.
This includes for example IAM Policy adjustments or VPC Subnet creations.
They are referred to as ๐ฐ๐ผ๐ป๐๐ฟ๐ผ๐น ๐ฝ๐น๐ฎ๐ป๐ฒ operations
{ 9 | 15 }
As the type already suspects, those events are related to infrastructure management operations.
This includes for example IAM Policy adjustments or VPC Subnet creations.
They are referred to as ๐ฐ๐ผ๐ป๐๐ฟ๐ผ๐น ๐ฝ๐น๐ฎ๐ป๐ฒ operations
{ 9 | 15 }
๐๐ฎ๐๐ฎ ๐๐๐ฒ๐ป๐๐
For events that retrieve, delete or modify data within your AWS accounts services
This includes for example CRUD operations on DynamoDB documents or a GET for an object in an S3 bucket
As expected, data events are often under high activity!
{ 10 | 15 }
For events that retrieve, delete or modify data within your AWS accounts services
This includes for example CRUD operations on DynamoDB documents or a GET for an object in an S3 bucket
As expected, data events are often under high activity!
{ 10 | 15 }
Keep this in mind if you're creating data event trails.
If you're monitoring DynamoDB tables at object-level access with high traffic, this will cause a significant amount of trail events and therefore writes to S3.
{ 11 | 15 }
If you're monitoring DynamoDB tables at object-level access with high traffic, this will cause a significant amount of trail events and therefore writes to S3.
{ 11 | 15 }
๐๐ป๐๐ถ๐ด๐ต๐ ๐๐๐ฒ๐ป๐๐
The rarest type of events, which records anomalies in your API usage of your account.
The analysis is based on your historical usage pattern and can identify events like an unusually high number of API calls in a short time period.
{ 12 | 15 }
The rarest type of events, which records anomalies in your API usage of your account.
The analysis is based on your historical usage pattern and can identify events like an unusually high number of API calls in a short time period.
{ 12 | 15 }
๐๐ถ๐น๐๐ฒ๐ฟ๐ถ๐ป๐ด
If you're creating trails you can also decide which events you actually want to track.
Maybe you're only interested in certain types, services, resources, or a specific region.
This reduces the noise created by changes to your whole ecosystem.
{ 13 | 15 }
If you're creating trails you can also decide which events you actually want to track.
Maybe you're only interested in certain types, services, resources, or a specific region.
This reduces the noise created by changes to your whole ecosystem.
{ 13 | 15 }
For getting back to our previous example:
You're interested in DynamoDB object-level accesses.
Maybe your real interest in tracking modification & deleting operations, but not reads.
Set your filter to ๐น๐ผ๐ด ๐๐ฟ๐ถ๐๐ฒ๐ข๐ป๐น๐ ๐ฒ๐๐ฒ๐ป๐๐
{ 14 | 15 }
You're interested in DynamoDB object-level accesses.
Maybe your real interest in tracking modification & deleting operations, but not reads.
Set your filter to ๐น๐ผ๐ด ๐๐ฟ๐ถ๐๐ฒ๐ข๐ป๐น๐ ๐ฒ๐๐ฒ๐ป๐๐
{ 14 | 15 }
๐๐ฑ๐ฒ๐ป๐๐ถ๐๐ ๐ง๐๐ฝ๐ฒ๐
In addition to having different even types, there are also multiple identity types.
CloudTrail logs the identity of the user or service that performed the action.
For example an...
โข IAM User
โข AWS Service
โข Assumed Role
{ 15 | 15 }
In addition to having different even types, there are also multiple identity types.
CloudTrail logs the identity of the user or service that performed the action.
For example an...
โข IAM User
โข AWS Service
โข Assumed Role
{ 15 | 15 }
Loading suggestions...