Simplifying compliance trails and audits with Federated Search for Amazon S3

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

You are preparing for annual audits, such as PCI-DSS and SOC 2, which require detailed records and fast responses to auditor questions. Auditors ask for evidence of administrative changes, privileged user actions, and failed logins over the past three years. In the past, collecting this data meant exporting and ingesting huge amounts of logs from S3 into the Splunk platform, taking weeks and costing a lot of money. You need a better solution.

To see this use case in action, open the click-through Demo: Federated Search for Amazon S3 use cases and select the Compliance Trail & Audit use case.

Data required

Amazon

How to use Splunk software for this use case

With Splunk Federated Search for Amazon S3 you can streamline your compliance process, gaining fast and cost-effective access to years of data. Searches you can run include:

► Audit all administrative changes over the past year

This search retrieves all successful, non-read-only administrative API calls from S3 CloudTrail logs, providing a comprehensive audit trail of configuration changes.

| sdselect eventtime eventname eventsource eventtype readonly sourceipaddress awsregion errorcode useragent recipientaccountid requestid eventid requestparameters responseelements serviceeventdetails useridentity FROM federated:flaws_cloudtrail_parquet_logs
| where lower(eventtype)="awsapicall"
| where (readonly=0 OR readonly="false" OR isnull(readonly))
| where isnull(errorcode)
| table eventtime eventname eventsource sourceipaddress awsregion useragent recipientaccountid requestid eventid requestparameters responseelements serviceeventdetails useridentity

The search returns results that look like this:

► Identify all failed login attempts

This search lists all failed console login attempts from S3 CloudTrail logs, including error messages and codes, to help you demonstrate access control compliance and identify unauthorized access attempts.

| sdselect eventtime eventname eventsource sourceipaddress useragent awsregion errormessage errorcode FROM federated:flaws_cloudtrail_parquet_logs
| where eventsource="http://signin.amazonaws.com/" OR eventname IN ("ConsoleLogin","consolelogin")
| where status!="Success" OR (isnull(errorcode) AND isnull(errormessage))
| table eventtime eventname status errormessage errorcode sourceipaddress useragent awsregion
| sort - eventtime

The search returns results that look like this:

► Summarize privileged user login activity

This search summarizes login activity for privileged users (for example, root) and non-privileged users from S3 CloudTrail logs, indicating success or failure, to audit sensitive actions and ensure adherence to policies.

| sdselect eventtime eventname eventsource sourceipaddress useragent awsregion errormessage errorcode recipientaccountid requestid eventid FROM federated:flaws_cloudtrail_parquet_logs reuse_search_results=false
| where eventsource="http://signin.amazonaws.com/" OR eventname IN ("ConsoleLogin","consolelogin","Login","login")
| eval status = if(isnull(errorcode) AND isnull(errormessage), "Success", "Failed")
| eval privileged = case(match(errormessage,"(?i)root"), "root",  match(useragent,"(?i)\\broot\\b"), "root",  match(eventname,"(?i)root"), "root",  true(), "non-root")
| eval privileged_reason = case(match(errormessage,"(?i)root"), "errormessage", match(useragent,"(?i)\\broot\\b"), "useragent", match(eventname,"(?i)root"), eventname", true(), "none")
| table eventtime eventname status privileged privileged_reason sourceipaddress useragent awsregion recipientaccountid requestid eventid errorcode errormessage
| sort - privileged status - eventtime

The search returns results that look like this:

Next steps

You team runs targeted searches directly on the S3 logs and instantly gets the required records, with no waiting and no data duplication. As the audit continues, you quickly create audit-ready reports, check regulatory requirements, and answer auditor questions in real time. Historical evidence that was previously hard to access is now readily available.

To get started, sign up for the Federated Search for Amazon S3 free trial.

In addition, these resources might help you understand and implement this guidance:

Splunk Help: About Splunk Federated Search for Amazon S3
Splunk Lantern Article: Leveraging Federated Search for Amazon S3 for key security use cases
Splunk Lantern Article: Using Federated Search for Amazon S3 for monitoring and detection
Splunk Lantern Article: Partitioning data in S3 for the best FS-S3 experience
Splunk Lantern Article: Using Federated Search for Amazon S3 with Edge Processor
Splunk Lantern Article: Using Federated Search for Amazon S3 with ingest actions
Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their Success Plan. Engage the ODS team at ondemand@cisco.com if you would like assistance.