Secure Configurations: Hardening & Technology Setup
      Back to home
      1. Trustero Support
      2. Phase 3: Operationalize Controls
      3. Secure Configurations: Hardening & Technology Setup

      How should I set up AWS CloudTrail for my audit?

      A guide for filtering AWS CloudTrail events to find critical issues which need an alert

      This outline can be taken as a formally documented process for internal use as “CloudTrail events being captured”. 

      Capturing Key Logs versus “Noise”:

      In order to filter CloudTrail events to find critical issues that need an alert, we will want to focus on the trigger event that will tell us if someone with malicious intent is trying to gain access or has gained access and is trying to hide:  

      1. User Accounts 

        1. Unauthorized Activity
        2. AWS GuardDuty DetectorDeleted

      2. Buckets

        (yep, they're going for the data. S3 Buckets are usually the target)

        1. AWS S3 Buckets Enumerated
        2. AWS S3 Bucket Policy Modified
        3. AWS S3 Public Access Block Removed

      3. Networking Components

        1. AWS VPC Created or Modified
        2. AWS Route Table Created or Modified
        3. AWS Network Gateway Created or Modified
        4. AWS Network Access Control List Created or Modified
        5. AWS Security Group Created or Modified

       

      Trustero Tip: Create a spreadsheet (if you haven't already) to create a clear picture of where you are gathering logs, where they are going, what is being monitored for alerts, and where alerts go. This is not a requirement for the actual audit, it will just help you stay organized and make sure nothing is missed as you continue to grow and mature.