Blog

How To Effectively Set Up AWS CloudTrail in 5 Steps

Jul 30, 2020

By AJ Yawn, CISSP

Introduction

Amazon Web Services (AWS) is the market-leading cloud service provider for many reasons. One of the reasons for its market share is the breadth and depth of security services available to organizations hosted on AWS. With new services being released almost daily, it is understandable for security practitioners to get lost in the many options to secure your AWS account. AWS CloudTrail is one of these services that are commonly underused but fairly simple to set up and critical for security governance, detection, and incident response.

What is CloudTrail, and Why Does it Matter?

AWS CloudTrail is an AWS service that helps you audit your AWS account, providing complete visibility into the governance, compliance, and risks of your AWS account. Logging is an integral component of any cybersecurity program.

All actions taken by a user, role, or an AWS service are logged and recorded as events in CloudTrail. AWS outlines six best practices for security in the cloud, one of the six is detection. CloudTrail is the recommended service to implement detective controls to identify a potential security threat or incident. If you are hosted on AWS, CloudTrail should be a core component of your governance program and can be used to support a quality control process, a legal or compliance obligation, and for threat identification and response efforts.

How to Configure CloudTrail and Monitor For Security-Related Events

1.    Create a Trail.

When you create your AWS account, AWS CloudTrail is enabled by default.  For an ongoing record of activity and events, analysis and log retention, create a trail in your account. Creating a trail will allow you to use other AWS services to analyze and act upon the event data collected in CloudTrail logs.

2.    Configure your trail to apply to all regions.

Specify a unique name for your trail and follow the CloudTrail naming requirements . Select yes to apply the trail to all regions, even if you are only hosted in one region currently. It is best practice to apply CloudTrail to all regions to monitor any activity in regions where you should not have resources as well as ensure you are prepared from a security perspective to scale.

Bonus Tip: If you are using AWS Organizations , apply this trail to your organization to log all events for all AWS accounts in your organization. An organization trail can’t be deleted by member accounts, nor can they turn logging on or off, change what types of events are logged, or otherwsie modify the organization trail in any way.

Create trail 3.    Choose which events you will log

There are three different types of events you can log with CloudTrail: management events , insights events , and data events . The events that you log will be based on your organization’s needs and preferences. However, logging all read and write management events is best practice.

4.    Configure your logs to be stored on S3 and enable log file validation

By default, the S3 bucket created for your trail is encrypted at rest using the default SSE-S3 encryption by AWS. If you are already using AWS Key Management Service (KMS) to manage your encryption, you can enable SSE-KMS encryption of the logs at rest.

Enable log file validation to have log digests delivered to your S3 bucket to verify the integrity of the logs and ensure they have not been modified after CloudTrail delivered them.

Storage location 5.    Configure CloudWatch Alarms for Security and Network related API Activity

After creating the trail, a new window will open up listing your trail. Open the trail to configure CloudWatch Security and Network related alerts. Within the trail settings, click configure under the CloudWatch Logs.

Cloudwatch-logos Follow the prompt to configure the IAM role necessary for CloudWatch to work properly. Back in the trail settings, click the hyperlink ‘Create CloudWatch Alarms for Security and Network related API activity using CloudFormation template.

Cloud-watch-logs2 This cloud formation template has predefined CloudWatch metric filters and alarms so that you receive email notifications when any security-related API calls are made. A few of these key metrics monitored with this template are:

  • S3 bucket policy, lifecycle, replication, or ACL changes
  • API calls that create, update and delete security groups.
  • The creation, termination, start, stop, and reboot of EC2 instances.
  • Creating, deleting, and updating trails. The occurrence of starting and stopping logging for a trail.
  • Console login failures
  • Authorization failures

Tips and Reminders for CloudTrail

Don’t skip step 5. Creating a trail and storing it on S3 is not enough. The key to any log management tool or system is providing the ability for security administrators to analyze potential trends that may have an impact on your organization achieving its security objectives and commitments. Enabling CloudWatch alarms as described in Step 5 utilizes AWS services to monitor and notify administrators of key security events your organization should be concerned with.

Closing

Effective and efficient log management in the cloud is crucial to secure your AWS account. Security teams need complete visibility of all actions taken in your account, this visibility cannot just be a dump of events for a human to parse through. Efficient log management solutions enable administrators to quickly analyze threats and respond appropriately, accelerating incident response and recovery from potential breaches.

Keep in touch.