In the previous blog I implemented several steps to reduce costs and protect unauthorized user access to an AWS account.
These remediation steps included:
a) Block public access to S3 buckets enabled
b) Linking Multi-Factor Authentication (MFA) to your AWS Root Account
c) Cleaning up and deleting inactive AWS services
d) Deleting Users that are not listed under AWS IAM
e) Resetting the passwords to your AWS IAM and Root accounts
f) Resetting the passwords to your email accounts
g) Creating MFA on your email accounts
h) Monitor for AWS service usage using AWS Cloud Watch
i) Creating a Cost Anomaly Detection Report from AWS Cost Explorer
If you would like to monitor unauthorized access by a user you may also create an AWS CloudTrail.
AWS CloudTrail may be used for compliance by providing an audit review of user actions and API usage by monitoring the event from a user, role or AWS service as an event with log data stored in a S3 bucket.
CloudTrail may monitor and record the user actions across all AWS services by creating trail in a single region or multiple regions.
The architecture of a CloudTrail workflow is shown below in the AWS diagram:
The workflow commences with:
Step 1: Unusual user or API activity is recorded by CloudTrail
Step 2: Event history logs is stored in a S3 bucket created by CloudTrail
Step 3: Unusual user or API activity is monitored, the recorded event history for the last 90 days may be viewed by creating an optional insights events dashboard which may be downloaded as a csv or json file.
Step 4: The CloudTrail console will analyze recent events
Step 1: Ensure you have created an AWS account
Step 2: Create IAM permissions for CloudTrail
Step 3: Navigate to the search bar and type the word CloudTrail
Step 4: On the CloudTrail homepage, click the orange button Create a trail
Step 5: Create a name for the trail that describes the purpose of the trail.
Step 6: Click Create new S3 bucket and provide a name for the S3 bucket created by CloudTrail. Click Next
The diagram below is confirmation of the creation of the S3 bucket:
Step 7: Under Choose log events you may retain the default settings and select Save Changes.
Step 8: There is confirmation of the creation of the CloudTrail
You may navigate to recent trail events from the CloudTrail dashboard.
CloudTrail is available under the AWS Free Tier and please review pricing of Insights Events here as you may incur additional charges.
Step 1: Click into the created CloudTrail and scroll down to Events and click Edit, Check the box 'insights events'.
Step 2: Check the box Insight Events and then check the last two boxes 'API error rate' and 'API call rate'.
After 24 hours you will be able to view insights from your dashboard.
Navigate to CloudWatchLogs and click 'enabled' and Save Changes.
You will have the peace of mind to allow AWS CloudTrail to track all user and API activity across your AWS services in multiple regions, where log data is stored in your S3 bucket to review for audit purposes. You will also have access to a dashboard to visualize more granular insights that you may require to help you understand event history for your AWS account.
Until next time, happy learning! 😁
Next week is AWS re:Inforce conference, 26-27 July 📆
A learning conference on compliance, privacy and identity 🔐🛠️
• Register to watch the keynote & sessions streamed live online 📺
• Link: https://reinforce.awsevents.com