AWS Events and Changes You Should Track For Your AWS Account Security and Operational Excellence

AWS CloudTrail service captures and publishes every action taken or change performed across any other AWS services. These changes could come as a result of

  • Console use by a user
  • An application running it’s code
  • A SaaS partner using assume role running/ accessing some API in your account
  • An event trigger another component (e.g.File got uploaded on S3 which trigger a Lambda function)

As you can see everything gets pushed into CloudTrail.

Example below shows that the IAM user Alice used the AWS CLI to call the CreateUser action to create a new user named Bob.

{"Records": [{
    "eventVersion": "1.0",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "EX_PRINCIPAL_ID",
        "arn": "arn:aws:iam::123456789012:user/Alice",
        "accountId": "123456789012",
        "accessKeyId": "EXAMPLE_KEY_ID",
        "userName": "Alice"
    },
    "eventTime": "2014-03-24T21:11:59Z",
    "eventSource": "iam.amazonaws.com",
    "eventName": "CreateUser",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "127.0.0.1",
    "userAgent": "aws-cli/1.3.2 Python/2.7.5 Windows/7",
    "requestParameters": {"userName": "Bob"},
    "responseElements": {"user": {
        "createDate": "Mar 24, 2014 9:11:59 PM",
        "userName": "Bob",
        "arn": "arn:aws:iam::123456789012:user/Bob",
        "path": "/",
        "userId": "EXAMPLEUSERID"
    }}
}]}

So much data?

Data -> information -> insights becomes challenging and overwhelming if the amount is large and needs to be consume in real-time. So, below is the list of metrics which we recommend you to keep an eye on. This doesn’t mean that other events are not important but the objective of this blog is to ensure that the signal to noise ratio for your team is minimum and you do not lose sight of critical update.

  • ConsoleLogin
      • What? : This event is raised when anyone logs into the account using AWS console.
      • Why? : Generally if you have CI/ CD setup and your team uses command line tools to interact with cloud api, then console login is a rare act. It makes it important to stay alerted if there is a console login.
      • Risk : Medium
      • What to do next? If you a console login, especially for someone with root or administrator role, then checking with them offline (over Slack or other messenger based tool) is a recommended.
  • StopLogging
      • What? When AuditTrail logs are disabled. Yes, it raises this event and logs this action too 🙂
      • Why? There will be little to no reason that anyone without a planned notice and communication has disabled AuditTrail logs themselves. So, this event itself is a good enough reason to jump on it.
      • Risk: High
      • What to do next? Jump on a call with team members (if required), login in your console and assess on who did it? If it was a mistake, then reenable the logging again. Also, put controls and education in place that this mistake doesn’t happen again in future.
  • CreateRoute, CreateNetworkAclEntry, CreateSecurityGroup
      • What? These deal VPC security – one of the building blocks in which your compute and other resources and data resides.
      • Why? This activity should be planned, documented and approved activity.
      • Risk: High
      • What to do next? Alert your team about this and fix the issue/ process which has caused this.
  • AuthorizeDBSecurityGroupIngress, CreateDBSecurityGroup, DeleteDBSecurityGroup, RevokeDBSecurityGroupIngress
      • Why? Your database should be one of the most protected resource. Not only it shouldn’t have public assigned IP but it also should be in Private subnet. Now listening for these events ensures that any changes with DB Security groups don’t go unnoticed.
      • Risk: High

References: