eBooks & Reports

O'Reilly's Automating Security in the Cloud

Issue link: https://resources.threatstack.com/i/872576

Contents of this Issue

Navigation

Page 22 of 32

Simple Notification Service (SNS) topic which receives notifications of log file deliv‐ eries. You can setup lifecycle rules on the S3 bucket to archive to Glacier or delete CloudTrail logs after a period of time to limit these charges. Rarely do these charges exceed a few dollars per month. Creating and/or Updating Your Trail Create a trail for your AWS account will help identify which users and accounts called AWS for services that support CloudTrail, the source IP address the calls were made from, and when the calls occurred. You can integrate CloudTrail into applications using the API, automate trail creation for your organization, check the status of your trails, and control how administrators turn CloudTrail logging on and off. Trails can be enable by using the AWS CloudTrail console or the AWS Command Line Interface (AWS CLI). Both methods follow the same steps: Turn on CloudTrail. By default, when you create a trail in one region in the Cloud‐ Trail console, the trail will apply to all regions. CIS Benchmark Recommendation - 2.1 Ensure CloudTrail is enabled in all regions (Scored) - AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response ele‐ ments returned by the AWS service. Create a new Amazon S3 bucket for storing your log files, or specify an existing bucket where you want the log files delivered. By default, log files from all AWS regions in your account will be delivered to the bucket you specify. CIS Benchmark Recommendation - 2.3 Ensure the S3 bucket CloudTrail logs to is not publicly acces‐ sible (Scored)CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. Rationale allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration. Create a new Amazon SNS topic in order to receive notifications when new log files are delivered. Log file delivery notifications from all regions are sent to the topic that you specify. Configure CloudWatch Logs to receive your logs from CloudTrail so that you can monitor for specific kinds of log events. CIS Benchmark Recommendation - 3.1 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored) Real- time monitoring of API calls can be achieved by directing CloudTrail Logs to Cloud‐ Watch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API Identity & Access Management (IAM) | 21

Articles in this issue

view archives of eBooks & Reports - O'Reilly's Automating Security in the Cloud