Skip to main content

Amazon Web Services: CloudTrail

  • Updated

Amazon Web Services (AWS) has become an integral part of many organizations’ IT infrastructure. CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. You can use it to log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. In the Common Information Model, CloudTrail log data is typically mapped to the Authentication and Change data models.

Data visibility 

CloudTrail data provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. It increases visibility into your user and resource activity by recording AWS Management Console actions and API calls so you can detect unusual activity. 

Data application

When your Splunk deployment is ingesting Amazon CloudTrail data, you can use the data to achieve the following objectives:

  • Managing an Amazon Web Services environment
  • Multifactor authentication

    The CIS Benchmark recommends the use of Multi-Factor Authentication (MFA) on accounts with a console password (Section 1.2) and root accounts (1.14). Enabling MFA helps secure accounts, so conversely, the lack of MFA may result in accounts that are more easily compromised. To see if users are logging in without MFA, run the following search:

    sourcetype=aws:cloudtrail eventName=ConsoleLogin
    | stats count BY username, additionalEventData.MFAUsed
  • Service action errors

    Errors associated with service actions are useful when threat hunting. To hunt for compromised account activity, run the following search:

    sourcetype=aws:cloudtrail
    |stats count BY errorCode
    |sort - count

    After you find errors you want to investigate, run the following search:

    sourcetype=aws:cloudtrail errorCode=<error name>
    |table awsregion eventName userName src_ip userAgent errorMessage

Managing an Amazon Web Services environment

See the following use case for more information:

Configuration

The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official AWS resources.

Data ingestion

If your deployment is not already ingesting AWS CloudTrail logs, follow the Getting Data In guidance for Splunk Enterprise or the Onboarding and Forwarding Your Data guidance for Splunk Cloud.

The recommended index is awscloudtrail

The source type is aws:cloudtrail

The supported input type is CloudTrail, specifically the API call history from the AWS CloudTrail service. 

In addition, you will need the Splunk Add-on for Amazon Web Services. The add-on can be downloaded here and the official documentation can be accessed here. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure AWS, and configure Splunk.

Sizing estimate

The recommended maximum daily indexing volume for a typical CloudTrail log source type on a clustered indexer is 150 - 200 GB per indexer. Use this as a rough guideline to plan for the number of indexers to deploy in your clustered environment. Adding more indexers to a cluster improves indexing and search retrieval performance. Since this also incurs some additional within-cluster data replication traffic, adjust the number of indexers in your cluster based on your actual system performance.

Validation

You can make sure that Splunk has begun ingesting the data from AWS by running Splunk searches. The Splunk add-on for AWS also has a built-in health-overview dashboard that will provide initial troubleshooting information.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.