Yay! SecurityMonkey now monitors CloudTrail and alerts when disabled
What is PCI DSS 10.2.3
Access to all audit Trails.
“Malicious users often attempt to alter audit logs to hide their actions, and a record of access allows an organization to trace any inconsistencies or potential tampering of the logs to an individual account. Having access to logs identifying changes, additions, and deletions can help retrace steps made by unauthorized personnel.”
What is CloudTrail
- What an access log is to a Web Server, CloudTrail log is to AWS.
- CloudTrail logs each and every activity performed on AWS and dumps them to an S3 bucket in json format.
- For Example, here is how the json looks like, when you create a new user named ‘administrator’ showing you the EventName, SourceIP and other info
SecurityMonkey Monitors CloudTrail and alerts when disabled
Having AWS CloudTrail logs and actively using them to monitor security-related activities within an AWS environment are two distinctly different concepts.
Before even going the route of analyzing CloudTrail logs you might want to ensure the logs are enabled in the first place and also ensure they are in an enabled state and alert when disabled or deleted intentionally or unintentionally.
How do you monitor the monitor ?
This is where Security Monkey comes into picture to track/alert store historical information about CloudTrail status.
With this new feature SecurityMonkey now tracks/store/audits/alerts the state of CloudTrail.
Next time your PCI Auditor requests you for info on PCI DSS 10.2.3 you can as well point him to the following if you are using SecurityMonkey
In the event of an issue, here is how the Audit issue looks like( Example : When cloudtrail is disabled or when cloudtrail not enabled for all the AWS regions )
- If you would like to know more about Security Monkey, please check my previous post @ Secops with SecurityMonkey
- If you like to contribute to SecurityMonkey, https://nagarun.wordpress.com/2016/12/07/how-to-contribute-to-opensource/
- PR for Checking CloudTrail status : https://github.com/Netflix/security_monkey/pull/470
- AWS CloudTrail : https://aws.amazon.com/cloudtrail/faqs/
- Yay! Thanks @MonkeySecurity and mike grima for the help PR