manage security & compliance of your aws account using cloudtrail

Need of Audit Trail

Introduction to CloudTrail

How to Enable CloudTrail in your AWS Account

Analyzing CloudTrail using Cloudlytics

Manage Security & Compliance of your AWS Account using CloudTrail

The average cost of a

data breach in 2014 was

$3.5 Million. – Ponemon Institute

On an average,

companies are attacked

16,856 times a year, and many of

those attacks result in a

quantifiable data

breach. – IBM Security Services

“In the average attack, you get

90% of the data you want

in like nine hours, and yet most

of the companies don't find out

for three to four months.” – John Chambers, CEO (CISCO)


“There is no data center or network in the

world that hasn't been hacked. If you

watched the number of attacks, they're

going up exponentially this year (2015),

this year's going to be

much worse than last

year.”

- John Chambers, CEO (CISCO)


92% of data breaches can be

described by just nine distinct

patterns. —Verizon, (2014 Data Breach Investigations Report)

43% of C-level executives

say negligent insiders are the

greatest threat to sensitive data. — IBM Services


An Audit Trail is a security-relevant

chronological record, set of records, and/or

destination and source of records that provide

documentary evidence of the sequence of

activities that have affected at any time a

specific operation, procedure, or event. Audit

records typically result from activities such as

financial transactions, scientific research and

health care data transactions, for

communications by individual people, systems,

accounts, or other entities.


Ensure

Security

Maintain

Individual

Accountability

Recreate Events

Detect Intrusions

Analyze Errors


AWS & Audit Trails


AWS CloudTrail is a web service that records AWS

API calls for your account and delivers log files to

you. The recorded information includes the identity of

the API caller, the time of the API call, the source IP

address of the API caller, the request parameters,

and the response elements returned by the AWS

service.

CloudTrail



Tokyo

Sydney

Singapore

Frankfurt Ireland Sao Paulo Northern

Virginia

GovCloud Northern

California Oregon


Administration & Security • AWS IAM

• AWS CloudWatch

• AWS Key Management Service

• AWS Security Token

• AWS CloudHSM

• AWS Config

Analytics • Amazon EMR

• Amazon Kinesis

• AWS Data Pipeline

Application Services • Amazon SQS

• Amazon SWS

• Amazon Elastic Transcoder

• Amazon CloudSearch

Deployment & Management • AWS Elastic Beanstalk

• AWS OpsWorks

• AWS CloudFormation

• AWS CodeDeploy Database

• Amazon RDS

• Amazon ElastiCache

• Amazon Redshift

Compute • Amazon EC2

• Auto Scaling

• ELB

Enterprise Applications • Amazon WorkDocs

Mobile Services • Amazon SNS

Networking • Amazon VPC

Storage & Content Delivery

• AWS Storage Gateway

• Amazon Glacier

• Amazon CloudFront

• Amazon Elastic Block Storage (EBS)


Successful requests to AWS Services

Time of Request

User Identity

Access Keys being Used

Request Response

(Examples)


AWS Identity and Access Management is a web

service that enables AWS customers to manage users

and user permissions in AWS.


Amazon Elastic Compute Cloud (Amazon EC2)

provides resizable compute capacity in the cloud. It is

designed to make web-scale cloud computing easier

for developers and allow them to obtain and configure

capacity with minimal issues.



{ "Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-03-06T21:01:59Z", "eventSource": "ec2.amazonaws.com", "eventName": "StopInstances", "awsRegion": "us-west-2", "sourceIPAddress": "205.251.233.176", "userAgent": "ec2-api-tools

1.6.12.2", "requestParameters": { "instancesSet": { "items": [{ "instanceId": "i-ebeaf9e2" }] }, "force": false }, "responseElements": { "instancesSet": { "items": [{ "instanceId": "i-ebeaf9e2", "currentState": { "code": 64, "name": "stopping" }, "previousState": { "code": 16, "name": "running" } }] } } },

Who initiated an Action?

Time of the Action?

What Action was taken?

Where was the Action performed?



HIPAA Section 164.312(1)(b) - Audit controls

(required), which states organizations must “Implement

hardware, software, & procedural mechanisms that record &

examine activity in information systems that contain or use

electronic protected health information.”

PCI DSS - Requires user logon and log off events to

be recorded as part of the "follow the user requirement".

Overview

Report


User Audit

Report

EC2 Activity

Report

Custom

Report


Top 5 Users

Top 5 Services

Top 5 IP Addresses

Top 5 Access Keys

Unauthorized

Accesses Location


List of Instances Instance Related

Activities

User Access Patterns Errors


List of Users User Related Activities

User Access Patterns Geographic Locations

Access Keys Used


Generate your

own Report

Define a Query

Generate Report

Create a New User from the IAM Console

Set the User Policy

Grant access of the logs containing S3 bucket to

Cloudlytics


Register with Cloudlytics

Configure CloudTrail


Start Analyzing AWS Logs

https://www.cloudlytics.com/user/login

manage security & compliance of your aws account using cloudtrail

Technology

cloudtrail aws cloudtrail

aws account

security compliance

aws api

aws service

cloudtrail aws audit

ibm security services

sensitive data