[AWS security] How to secure API calls using CloudTrail

overview

In this article, I will explain about CloudTrail and how to monitor API calls using it to secure the AWS account.

CloudTrail: What it is and what it does

• provides audit logs of an AWS account’s authenticated request to perform an action with an AWS service and its resources

How CloudTrail can help security operations

• view, search, download, archive, analyze and respond to account activity across AWS services
• gain detailed visibility into user, service and resource activity
• troubleshoot security and operational issues by tracking changes
• build detective security controls and automate their response around important CloudTrail event activity

How CloudTrail works for SecOps

• CloudTrail captures actions made directly by the user or on behalf of the user by an AWS service
• CloudTrail events are available to the AWS account within 15 min

CloudTrail events search and analytics in AWS

Anatomy of a CloudTrail event

critical event fields

event types

• management events — enabled by default, records of control plane operations
• Data events — not enabled by default, records of data plane operations that are performed within a supported AWS resource (available for S3 objects events and Lambda at an additional cost)
• insights events — not enabled by default, records unusual call volume of write management APIs up to 90 days

IAM user examples

Key enrichment sources for CloudTrail events

DEMO

A: set up an AWS CloudTrail to monitor activities and verify the New Trail Is Logging to S3

scenario

You are an engineer at a small start up company that has recently started utilizing AWS. Your manager has recently found out that there are no trails configured in AWS CloudTrail for your AWS account, and thus, the AWS API activity that occurs in the account is currently invisible to others, not logged, and not auditable. Your manager has asked you to create a trail so that all AWS API activity is logged and is auditable.

• go to CloudTrail

• create trail

• Type name and leave the radio button selected for Create new S3 bucket. Under Trail log bucket and folder, S3 bucket name is automatically generated for you in the format of aws-cloudtrail-logs-<accountnumber>-<uniquestring>. Under AWS KMS alias, input the same name as your KMS key alias name.

• setup this way

• On the Review and create page, scroll down to review all of the settings that you have configured for your new trail, then click the Create trail button at the bottom.

• Under your trail name (in this case, Taka-test), the S3 bucket column, click on S3 bucket link

• Choose s3 bucket for CloudTrail (create one if not)

• you will see a list of AWS regions. Scroll towards the bottom, find the us-west-2 folder, and then click on it. (Choose your region). It could take a few minutes to show up

• You should now see a folder named after the current year, month, day number, and files in the format of <awsaccountnumber>_CloudTrail_us-west-2_<datetime>_<uniqueid>.json.gz.

• Click on one of these files, which will take you to the S3 object page
• Click the Open button at the top left to check the trails.

B:Monitor API Calls using CloudTrail

scenario

Your manager has asked you to ensure that the main AWS Account for the company is secure and not used improperly by unauthorized users and/or systems. Your initial concern will be to monitor for API calls made by users and/or systems that should not have access.

• Use the search bar at the top of the page to navigate to the IAM service. Then in the left menu click on Users. Performing this action will trigger an API call that CloudTrail will monitor, and will show in the CloudTrail console. This will test that your trail is logging API calls as expected.

• Navigate back to the CloudTrail Dashboard, and click on Event history.

• From the Event history dropdown, select Event name and enter ListUsers for the value to search for. Click the 30m time period to narrow down your search results.

• You should see a new entry for the ListUsers request that you made when you went to IAM > Users. Typically, CloudTrail delivers an event within 15 minutes of an API call. If you are unable to see the ListUsers event, wait a couple of minutes and refresh the Event history table by clicking the refresh button.
• From the Lookup attributes dropdown, select Event name and enter ListBuckets for the value to search for. Click the 30m time period to narrow down your search results.

• You should see a new entry for the S3 actions that you just completed. This API call was made in the AWS Console when you navigated to S3 and the list of buckets were shown.

Edit a CloudTrail Trail to Send Output to CloudWatch

After working within the CloudTrail console to monitor events, you discover an article that describes how CloudWatch is a much better solution for monitoring and alerting for CloudTrail events due to being able to search and alert on any term, phrase, or value that may exist within the monitoring results. The CloudTrail console has a limited set of defined search capabilities and may reduce your ability to find what you need. Enabling CloudWatch will make your job easier and ensure that you stay on top of keeping your AWS account secure. To do this you will need to edit the existing trail that you have been working with to enable CloudWatch to have access to the trails monitoring results.

• Go to CloudTrail > Trails > your name (Taka-test)

• Scroll down to the CloudWatch Logs section, and click Edit.

• Under CloudWatch Logs check Enabled.
• Under IAM Role choose Existing. Within the Role name dropdown, select AWSServiceRoleForCloudTrail. Save changes.

• To test that your trail is logging data events as expected, navigate to S3 > aws-cloudtrail-logs***** This will trigger a data event that CloudTrail will monitor, and will show in the CloudWatch console.

• In the upper-left click Services, then search for and click on CloudWatch.
• In the left-hand menu, click Log groups in the Logs section.

• Click the aws-cloudtrail-logs- link, then click Search log group.The resulting Log events page will allow you to view, filter, and find events.

• In the Filter events search bar, type in ListBuckets and press enter.

You should see several items that match that search criteria (wait a minute or two then refresh if you don’t see any results). Once you verify that the S3 event shows up in CloudWatch, you have proven that you will be able to easily search for and detect events made to your AWS Account.

Validate CloudTrail Log File Integrity

Your manager recently asked about your progress on securing the AWS Account the company uses. After some discussion, your manager asks you how can you be sure that the CloudTrail trail log files have not been tampered with. After a bit of research, you discover that the Log File Validation setting in CloudTrail is something that you can use to satisfy what your manager is asking about.

• Navigate CloudTrail > Trails > yours

• Ensure under General details that Log file validation is Enabled.

• Copy the ARN from the breadcrumb navigation near the top of the page, and store it locally for later use. It will be prefixed with arn:aws:cloudtrail:us-west-2:
• .arn:aws:cloudtrail:us-west-2:810137892419:trail/Taka-test

• In the upper-left click Services, then type in and click on EC2. In the left-hand menu under Instances, click Instances. Please start one if you dont have to connect
• SSH into the EC2 instance and run the following command

aws cloudtrail validate-logs --start-time 2020-10-07T00:00:00Z --trail-arn <Trail ARN> --verbose