- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html
- CloudTrail provides event
history of your AWS account activity, including actions taken through the AWS
Management Console, AWS SDKs, command line tools, and other AWS services. This
event history simplifies security analysis, resource change tracking, and
troubleshooting. In addition, you can use CloudTrail to detect unusual
activity in your AWS accounts
- Logging API calls – Console, SDK, CLI, API
- Used for: security, compliance, troubleshooting
- Event history on the account – view/search/download 90 days’ worth of activity
- CloudTrail enabled by default, but not CloudTrail trail logging into S3 or Lambda
- Trailing can be used to trigger off alarms
- All Regions (recommended, default for Console) – Creates the same trail in all regions and delivers log files for all regions. Will write all into a single central S3. Add a region and enable Trail – will automatically get added to ‘All Region’, push into central bucket. Able to manage all Trail settings centrally
IMPORTANT:
- Singe Region (default for CLI or API) - can go to each region, create a regional Trail and push logs into each region’s S3 OR into the central bucket – not as efficient. Each single-region trail can push into a bucket of its own or into a shared bucket. The bucket can be in any region.
- Single Region is the default for trails created via CLI or API. Console default – All Regions.
- Max 5 trails per region (ex: developers want one, compliance another, etc.) – into one or separate buckets
- CloudTrail begins delivery logs 15 min after enabling, once every 5 min
- Logs contain API calls into the account
- Can specify what S3 bucket/Lambda function API calls to record
- Logging API calls – Console, SDK, CLI, API
- Used for: security, compliance, troubleshooting
- Event history on the account – view/search/download 90 days’ worth of activity
- CloudTrail enabled by default, but not CloudTrail trail logging into S3 or Lambda
- Trailing can be used to trigger off alarms
- All Regions (recommended, default for Console) – Creates the same trail in all regions and delivers log files for all regions. Will write all into a single central S3. Add a region and enable Trail – will automatically get added to ‘All Region’, push into central bucket. Able to manage all Trail settings centrally
IMPORTANT:
- Singe Region (default for CLI or API) - can go to each region, create a regional Trail and push logs into each region’s S3 OR into the central bucket – not as efficient. Each single-region trail can push into a bucket of its own or into a shared bucket. The bucket can be in any region.
- Single Region is the default for trails created via CLI or API. Console default – All Regions.
- Max 5 trails per region (ex: developers want one, compliance another, etc.) – into one or separate buckets
- CloudTrail begins delivery logs 15 min after enabling, once every 5 min
- Logs contain API calls into the account
- Can specify what S3 bucket/Lambda function API calls to record
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events
- For most services, events are recorded in the region where the action occurred. For global services such as AWS Identity and Access Management (IAM), AWS STS, and Amazon CloudFront, events are delivered to any trail that includes global services. For most global services, events are logged as occurring in US East (N. Virginia) Region, but some global services are logged as occurring in other regions, such as US East (Ohio) Region or US West (Oregon) Region
Log File Integrity Validation
- Making sure log file hasn’t been tempered with
- Encrypted trace, SHA-256 for hashing and SHA-256 with RSA for digital signing
- Encryption disabled by default
§ Once per hour CloudTrail delivers a digest file into same S3 bucket as the logs (separate folder from logs) - a file with encryption hashes for all last hour’s log files
§ Digest file is signed w private key
§ Public key can be used to validate the digest file – unencrypt
§ Different key pair in each region
§ Each digest file contains digital signature of the previous digest file
§ Can send SNS notification for every log file delivery
- To validate logs – use CLI or 3rd part tools
- Making sure log file hasn’t been tempered with
- Encrypted trace, SHA-256 for hashing and SHA-256 with RSA for digital signing
- Encryption disabled by default
§ Once per hour CloudTrail delivers a digest file into same S3 bucket as the logs (separate folder from logs) - a file with encryption hashes for all last hour’s log files
§ Digest file is signed w private key
§ Public key can be used to validate the digest file – unencrypt
§ Different key pair in each region
§ Each digest file contains digital signature of the previous digest file
§ Can send SNS notification for every log file delivery
- To validate logs – use CLI or 3rd part tools
- Validation happens in same
location as log files. If moved – create your own tools to validate
No comments:
Post a Comment