Amazon Web Services (AWS) has become an integral part of many organizations’ IT infrastructure. CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. You can use it to log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. In the Common Information Model, CloudTrail log data is typically mapped to the Authentication and Change data models.
CloudTrail data provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. It increases visibility into your user and resource activity by recording AWS Management Console actions and API calls so you can detect unusual activity.
When your Splunk deployment is ingesting Amazon CloudTrail data, you can use the data to achieve the following objectives:
- Managing an Amazon Web Services environment
- Multifactor authentication
The CIS Benchmark recommends the use of Multi-Factor Authentication (MFA) on accounts with a console password (Section 1.2) and root accounts (1.14). Enabling MFA helps secure accounts, so conversely, the lack of MFA may result in accounts that are more easily compromised. To see if users are logging in without MFA, run the following search:
| stats count BY username, additionalEventData.MFAUsed
- Service action errors
Errors associated with service actions are useful when threat hunting. To hunt for compromised account activity, run the following search:
|stats count BY errorCode
|sort - count
After you find errors you want to investigate, run the following search:
sourcetype=aws:cloudtrail errorCode=<error name>
|table awsregion eventName userName src_ip userAgent errorMessage
Managing an Amazon Web Services environment
See the following use case for more information:
The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official AWS resources.
If your deployment is not already ingesting AWS CloudTrail logs, follow the Getting Data In guidance for Splunk Enterprise or the Onboarding and Forwarding Your Data guidance for Splunk Cloud.
The recommended index is awscloudtrail.
The source type is aws:cloudtrail.
The supported input type is CloudTrail, specifically the API call history from the AWS CloudTrail service.
In addition, you will need the Splunk Add-on for Amazon Web Services. The add-on can be downloaded here and the official documentation can be accessed here. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure AWS, and configure Splunk.
The recommended maximum daily indexing volume for a typical CloudTrail log source type on a clustered indexer is 150 - 200 GB per indexer. Use this as a rough guideline to plan for the number of indexers to deploy in your clustered environment. Adding more indexers to a cluster improves indexing and search retrieval performance. Since this also incurs some additional within-cluster data replication traffic, adjust the number of indexers in your cluster based on your actual system performance.
You can make sure that Splunk has begun ingesting the data from AWS by running Splunk searches. The Splunk add-on for AWS also has a built-in health-overview dashboard that will provide initial troubleshooting information.