IuriiO Notebook
  • Broken Code Notebook
  • Architecture and Design
    • Architectural Decision Records
    • Trade-off Analysis
    • Data Decomposition Drivers
    • Selecting a Database Type
    • Service Granularity
    • Consumer-driven Contracts
  • Cloud
    • AWS
      • Resources
      • Compute
        • EC2
        • Batch
        • ECS & ECR
        • Elastic Beanstalk
      • Storage & Data Management
        • S3
        • Storage Gateway
        • RDS
        • DynamoDB
        • ElastiCache
        • Redshift
        • EBS
        • EFS
        • FSx
        • Snowball
        • Athena
        • Encryption and Downtime
        • Untitled
      • Security & Compliance
        • IAM
        • Web Identity Federation
        • Organizations
        • Service Catalog
        • Tags and Resource Groups
        • STS
        • KMS
        • GuardDuty
        • Compliance
        • Marketplace Security Products
        • DDOS
        • Compliance Frameworks
      • High Availability
        • Global Infrastructure
        • Disaster recovery
        • Elastic Load Balancers
        • Untitled
      • Monitoring & Reporting
        • Cost Explorer
        • CloudWatch
        • Systems Manager
        • Config
        • CloudTrail
        • Cost control
        • Untitled
      • Networking
        • Networking 101
        • Route53
        • CloudFront
        • VPC
        • DirectConnect
        • WAF
        • Shield
        • Global Accelerator
      • Deployment & Provisioning
        • Untitled
        • Untitled
      • Automation & Optimization
        • CloudFormation
          • Links
          • Github resources
          • YAML 101
          • Videos
        • OpsWorks
        • Untitled
      • Application Services
        • SQS
        • SWF
        • SNS
        • Untitled
      • Serverless
        • Lambda
        • API Gateway
        • DynamoDB
        • SAM
        • Untitled
      • Well-Architected Framework
    • Azure
      • Tools
      • Organization & Management
      • Authentication & Authorization
      • Compute
      • Networking
      • Storage
      • Databases
      • Security
      • Privacy, Compliance & Trust
      • Cost Management
  • Containers & Services
    • Docker
      • Useful Links
      • Containers
      • Images
      • Dockerfile
      • System
      • Compose
      • Swarm
      • Docker & NodeJS
    • Kubernetes
      • Useful Links
      • Introduction
      • Getting started
      • Exposing containers
      • Kubernetes Management Techniques
        • Declarative YAML
      • Labels and Annotations
      • Storage in Kubernetes
      • Ingress Controller
      • CRD's and The Operator Pattern
      • Kubernetes Dashboard
      • Kubectl Namespaces and Context
  • Frontend
    • Resources
    • Design
      • Search experience
Powered by GitBook
On this page

Was this helpful?

  1. Cloud
  2. AWS
  3. Monitoring & Reporting

CloudTrail

  • Enables

    • After-the-fact incident investigation

    • Near realtime intrusion detection

    • Industry and regulatory compliance

  • Provides

    • Logs API call details (for supported services)

  • What is logged

    • Metadata around API call

    • The identity of the API caller

    • The time of the API call

    • The source IP address of the API caller

    • The request parameters

    • The response elements returned by the service

  • CloudTrail event logs:

    • Sent to an S3 bucket

    • You manage the retention in S3

    • Delivered every 5 minutes with up 15 minutes delay

    • Notification available

    • Can be aggregated across regions

    • Can be aggregated across accounts

  • Validating CloudTrail log file integrity:

    • Was the log files modified or deleted?

    • CloudTrail log file integrity validation

      • SHA-256 hashing

      • SHA-256 hashing with RSA for digital signing

    • Log files are delivered with a 'digest' file (if enabled)

    • Digest file can be used to validate the integrity of the log files

  • Securing CloudTrail logs

    • Use IAM policies and S3 bucket policies to restrict access to the S3 bucket containing the log files. Place employees who have a security role, into IAM group with attached policies that enable access to the logs.

    • Use SSE-S3 or SSE-KMS to encrypt the logs

    • Configure SNS notifications and log file validation on the 'Trail'. Develop a solution that when triggered by SNS will validate the logs using the provided digest file.

    • Restrict delete access with IAM and bucket policies. Configure S3 MFA Delete. Validate that logs have not been deleted using the log file validation.

    • By default logs will be kept indefinitely. Use S3 object lifecycle management to remove the files after the required period of time, or move the files to AWS Glacier for more cost-effective long term storage.

PreviousConfigNextCost control

Last updated 5 years ago

Was this helpful?