CloudTrail

CloudTrail Overview:

Things to know about CloudTrail:

• CloudTrail is automatically enabled in each account and cannot be disabled

• The default CloudTrail events are logged in each region and can be access under CloudTrail → Event History

• The default retention is 90 days

• To centrally collect CloudTrail you need to configure a 'CloudTrail trail'

• Events generated by the IAM service are recorded in the 'us-east-1' region

• AWS services in preview or not yet released are not supported in CloudTrail

• The AWS Import/Export service does not log to CloudTrail

• Amazon VPC endpoint policy-specific events are not recorded in CloudTrail

Event Types:

• Management Events (Enabled by default)

  • Free

  • Management events are on by default and record read and write access in an AWS account. Some example management events are:

    • Creating a new virtual machine in EC2

    • Modifying the CloudTrail configuration

    • Creating a new user in IAM

    • Deleting an IAM policy

    • Modifying IAM roles

      • These event are also called Management or Control plane events.

• Data Events (Disabled by default)

  • Not free

  • Date events are off by default and record events about actions performed on a resource. Some example data events are:

    • Downloading a file from an S3 bucket

    • Deleting an object in S3

    • Execution of AWS Lambda functions

    • Events from GuardDuty Detectors generated by the GuardDuty agent

    • These event are also called Data plane events.

• Insight Events (Disabled by default)

  • Not free

  • Insights events are off by default and are generated by AWS when unusual activity is detected based on CloudTrail Management events or Data events. Some example Insights events are: ●

    • On a normal day there are 20 calls to create a S3 bucket, but all of a sudden there are 100 this will generate an Insights events, because it’s unusual. ●

    • A sudden increase in Access Denied events related to your Network security rules triggers an Insights event. ●

    • A decrease in API calls made towards data stored in a specific S3 folder.

    • You have no control over the anomaly detection mechanism used by AWS to trigger these events. Based on our experience we don’t see this events enabled often.

Configuring Trails:

Advance Selectors:

Analysis Tips:

CloudTrail Events:

GitHub - invictus-ir/aws-cheatsheet: A cheatsheet containing AWS CloudTrail events that can be used for Incident Response purposes or Detection Engineering.GitHub

Important Fields:

Fieldname	Relevance for IR
eventTime	When did the event occur?
eventSource	Which AWS service triggered the event?
eventName	What action was performed?
userIdentity	Who or what performed the action?
requestParameters	What are the details about the action?
responseElements	How did the AWS service respond to the action?
awsRegion	In which region did the event occur?
sourceIPAddress	From which IP was the request made
readOnly	Was there a change

• readOnly

  • True or false, used to hunt for write actions if false.

  • Was there a change?

Example Event

Cloudtrail Lakes: