How To Detect Account Intruders Using AWS CloudTrail

Introduction

Securing your cloud environment is now more critical than ever. As organizations increasingly rely on cloud platforms like Amazon Web Services (AWS), the potential for security breaches and unauthorized access becomes a pressing concern. AWS CloudTrail is a powerful tool that can help you monitor and detect suspicious activities in your AWS account. This blog post will guide you through the process of leveraging AWS CloudTrail to detect account intruders and strengthen your overall security posture.

What is AWS CloudTrail?

AWS CloudTrail is a service that enables governance, compliance, along with operational and risk auditing of your AWS account. It records API calls and other actions made on your AWS resources and delivers the event history to an Amazon S3 bucket, AWS CloudWatch Logs, or AWS EventBridge. These records include details about who made the request, what actions were taken, and the source of the request, providing a comprehensive audit trail for your AWS environment.

By analyzing this event history, you can identify unauthorized access attempts, unusual patterns of activity, and potential security breaches.

Why Use AWS CloudTrail for Intruder Detection?

AWS CloudTrail is uniquely suited for detecting intruders due to its detailed logs and integration capabilities. Here’s why:

1. Comprehensive Visibility: CloudTrail logs every API call and console login, providing a clear picture of what is happening in your account.
2. Actionable Insights: By analyzing logs, you can detect anomalous activities that may indicate unauthorized access.
3. Real-time Alerts: Integrating CloudTrail with services like CloudWatch and EventBridge allows you to set up real-time notifications for suspicious activities.
4. Compliance Requirements: Many regulatory frameworks require robust logging and monitoring, which CloudTrail helps achieve.

Step-by-Step Guide to Detecting Intruders Using AWS CloudTrail

1. Enable CloudTrail Across All Regions

To ensure comprehensive logging, enable CloudTrail for all regions in your AWS account. Intruders often exploit less monitored regions to evade detection. Here’s how to set it up:

• Navigate to the CloudTrail console.
• Click Create trail.
• Provide a name for the trail.
• Enable logging for all regions.
• Specify an S3 bucket to store the logs.
• Optionally, enable encryption using AWS Key Management Service (KMS).

By enabling CloudTrail across all regions, you ensure that no activity goes unnoticed.

2. Analyze CloudTrail Logs

Once CloudTrail is enabled, it’s time to analyze the logs for suspicious activities. Some patterns to watch for include:

• Unusual Login Activity: Look for logins from unknown IP addresses, geographies, or at unusual times.
• Unauthorized API Calls: Detect attempts to use services or resources that are not typically accessed.
• Changes to IAM Policies: Intruders may attempt to escalate privileges by modifying IAM roles or policies.
• Data Exfiltration Attempts: Large data downloads or unusual S3 activity can indicate potential breaches.

AWS Athena

You can use AWS Athena to query CloudTrail logs stored in S3. For example, the following SQL query can help identify unusual login locations:

SELECT userIdentity.type, userIdentity.arn, sourceIPAddress, eventTime
FROM cloudtrail_logs
WHERE eventName = 'ConsoleLogin'
AND sourceIPAddress NOT IN ('<list_of_known_ips>')
ORDER BY eventTime DESC;

Continuent’s Approach

Continuent uses a home-grown tool (trailwatch) that gives us granular control over the rules and the alerting, preventing false positives and allowing us to clearly understand what is happening in our environment in real time. For auditing and security purposes, our tool queries the event log for any event that is NOT Read-Only.

The trailwatch tool calls the `aws cloudtrail lookup-events` command to obtain events from the CloudTrail Event log. By getting direct access to the events themselves, custom scripted rules can be applied to minimize the false positives and allow for tracking and response.

Cron invokes trailwatch every minute which then checks the last 5 minutes of CloudTrail events in every region, alerting via email as needed, and logging the alert to prevent multiples:

/opt/local/bin/trailwatch -c 2>&1 >> /var/log/trailwatch.log

This keeps the requests down to once per minute per region, far less than the limit of two per second, per region. Exceeding this limit results in a throttling error.

For example, this is how to get a list of active regions for your account to loop through using the aws cli:

aws ec2 describe-regions --output text | cut -f4

The example below queries the CloudTrail event log and limits the results to 5 events:

aws cloudtrail lookup-events --region us-east-1 --lookup-attributes AttributeKey=ReadOnly,AttributeValue=false --output json --max-results 5

If you have the `jq` command installed, you can reformat the output easily like this:

aws cloudtrail lookup-events --region us-east-1 --lookup-attributes AttributeKey=ReadOnly,AttributeValue=false --output json --max-results 5 | jq '.Events[].CloudTrailEvent |= fromjson'

In production, we get the last 5 minutes of events using the `--start-time $timestamp` formatted via printf as '%Y-%m-%dT%H:%M:%SZ'.

The rest of the blog post describes a variety of ways to use the CloudTrail information to secure your cloud account. Please remember that AWS loves to charge for things, which is one of the reasons we have chosen the above home-grown method. As always, YMMV ;-}

Where To Go From Here

Now that you have access to the CloudTrail data, you must decide what to do with it. Read on to discover how to manage your security responses.

3. Set Up Real-Time Alerts

Real-time detection is crucial for responding to intrusions quickly. You can achieve this by integrating CloudTrail with AWS CloudWatch. Here’s how:

1. Create a CloudWatch Log Group:
   • In the CloudWatch console, create a new log group for CloudTrail events.
   • Configure CloudTrail to deliver logs to this log group.
2. Create Metric Filters:
   • Define patterns to detect specific events, such as unauthorized API calls or failed login attempts.
   • For example, to detect failed logins, use the following pattern:

     { ($.eventName = "ConsoleLogin") && ($.responseElements.ConsoleLogin = "Failure") }

3. Set Up Alarms:
   • Create a CloudWatch alarm based on the metric filter.
   • Configure the alarm to send notifications via Amazon SNS (Simple Notification Service).

With this setup, you’ll receive immediate alerts when suspicious activities are detected.

4. Use AWS GuardDuty for Advanced Threat Detection

While CloudTrail is excellent for detailed auditing, AWS GuardDuty provides advanced threat detection by analyzing CloudTrail logs, VPC Flow Logs, and DNS logs. GuardDuty can identify:

• Compromised instances communicating with malicious IPs.
• Unusual IAM user behavior.
• Potential data exfiltration activities.

Enable GuardDuty in your AWS account and integrate it with CloudTrail for an additional layer of security.

5. Automate Responses to Threats

Detecting intrusions is only half the battle; responding effectively is equally important. AWS services like Lambda and EventBridge allow you to automate responses to specific events. For example:

• Locking Compromised Accounts: Automatically disable an IAM user if unauthorized access is detected.
• Revoking Temporary Credentials: Invalidate temporary security tokens if suspicious activity occurs.
• Notifying Security Teams: Send detailed alerts to your security operations team via email or chat platforms like Slack.

Here’s a sample Lambda function in Python to disable a compromised IAM user:

import boto3
def lambda_handler(event, context):
    iam = boto3.client('iam')
    user_name = event['detail']['userIdentity']['userName']
    iam.update_login_profile(UserName=user_name, PasswordResetRequired=True)
    iam.delete_access_key(UserName=user_name, AccessKeyId='<access_key_id>')
    return f"Disabled user {user_name}"

6. Regularly Review and Update Detection Mechanisms

Intrusion techniques evolve over time, and so should your detection mechanisms. Regularly review CloudTrail logs, refine your alert criteria, and stay updated on AWS security best practices. Consider conducting periodic threat simulations to test your detection and response processes.

Common Challenges and How to Overcome Them

• Log Overload: CloudTrail logs can be overwhelming, especially in large environments. Use AWS tools like Athena and GuardDuty to filter and analyze logs efficiently.
• False Positives: Ensure your detection rules are finely tuned to avoid excessive alerts that can lead to alert fatigue.
• Cost Management: Storing and analyzing large volumes of logs can be expensive. Use lifecycle policies to archive older logs and monitor costs.

Conclusion

AWS CloudTrail is an indispensable tool for monitoring and detecting intrusions in your AWS account. By enabling CloudTrail across all regions, analyzing logs, setting up real-time alerts, and integrating advanced tools like GuardDuty, you can effectively identify and respond to unauthorized access attempts.

Security is not a one-time effort but an ongoing process. Regularly update your detection mechanisms, train your team, and leverage AWS’s robust ecosystem of security tools to stay ahead of potential threats. By following the steps outlined in this guide, you’ll be well-equipped to safeguard your AWS environment from intruders.

Smooth sailing!