CloudTrail Alerts

What are CloudTrail Alerts?

CloudTrail alerts are notifications that will help you to secure your management plane. You can use these alerts to get notified about any of our out-of-the-box security issues, or you can create your own customized alerts. The results of the alerts are communicated to you and are also saved within CloudCheckr, providing you with a starting point to conduct audits and perform forensics on your deployment.

 

How Do I Use CloudTrail Alerts?

A good starting point is the Built-In Alerts. CloudCheckr’s subject manner experts have developed 25+ ready-to-use Alerts to help you stay on top of security-related issues in your deployment. We will walk you through the complete options when configuring a sample alert in order to explain the powerful configuration possibilities.

Begin by navigating to the CloudTrail Alerts section, located at the top of the Security module, and go to Alerts/CloudTrail/Manager.

newCTAlertsNav

Built-In Alerts

Once you’re in the Alert Manager section, you’ll see two tabs for Alert options: Built-In Alerts and Custom Alerts. Start with Built-In Alerts (the default setting).

00p1cta-AlertManagerTabs

For this exercise, click on the alert Any security-related event to open it up and start exploring.

01cta-AnySecurityAlert_Start

The first section you will encounter (shown above) shows the Alert name, Risk Level, and optional Custom Description.

Notifications

Next, expand the Notifications section.

02cta-Notifications

This is where you will configure how the CloudTrail Alert will notify you of an action. Your options are:

  • Email — send an alert email to any relevant email addresses.
  • SNS Topic — send alerts to SNS topic.
  • Pager Duty — send alerts via Pager Duty API.
  • Syslog — communicate the relevant into to other entities such as Security Information and Event Management systems (SIEM).
  • Slack — push the alerts to a Slack channel via webhook.
  • Lambda — the alert can call an AWS Lambda function that you have created in order to take action.

 

Filters

The filters section is where you can see and configure what CloudTrail events and where in your AWS deployment the alert will search.

03cta-FiltersShowingDefaultSetup

For this Built-In alert, each of the four sections (Region, Service, Event, User) is pre-populated with the relevant search criteria for effective results. To learn specifically what is being searched for, you can click on any of the sections’ binocular icons to browse the selected criteria. For this particular alert, Any security-related event, you can see that it has many pre-selected events.

04cta-EventsFiltered

Advanced Options

The Advanced Options section gives you granular control over the CloudTrail alert’s response behavior.

05cta-AdvancedOptions

Event Filters

  • Response Type: This is the type of response that the alert looks for. A default selection of All is selected for this example, but the alert can also look for Success, Failure, or Unauthorized Access.
  • Resource ID: The alert can be configured to report on specific Resource IDs only.

Threshold to Fire

By default there are no entries in this field, so the alert will trigger (aka fire) every single time that a matching event is encountered. With the huge number of AWS API calls in a given deployment, this could result in a large number of alerts. You can customize the threshold for the alert to fire — for example, you might tell it to only fire when 20 matching events have occurred within a time period of one minute.

Request & Response

A CloudTrail event is going to have a Request parameter and a Response parameter. You can customize the alert so that it only fires if these specific parameters ARE or ARE NOT present in the event data.

IP Address Filters

You can restrict the IP Address range that the alerts monitor, effectively doing things such as white-listing your own address range, or making sure that the alerts do not alert on IP Addresses originating from AWS.

Misc.

By default, CloudCheckr saves the results of your CloudTrail alerts but you have the option to turn off this functionality, leaving you with just the main method of alerting (email, Slack, etc.).

Ignored

This section will display any alert results that you have ignored. Items can be ignored from the Alerts/CloudTrail/Results section or from your alert emails, and the ignores can be based around various criteria. The ignores can be unignored or edited in this section.

06p1cta-IgnoredWithExample

If you click Edit on an existing ignored item, you’ll gain access to the Ignore Configuration screen.

You can configure an ignore in the following ways:

  • Ignore this Region — Ignore an entire AWS Region.

  • Ignore this Service — Ignore an entire AWS Service.

  • Ignore this Event Name — Ignore a specific Event Name.

  • Ignore this User — Ignore a specific User. Wildcards accepted.

  • Ignore this Request Parameter — Ignore a specific Request Parameter.

  • Ignore this Response Element — Ignore a specific Response Element. Wildcards accepted.

After you’ve added any info to your alert, be sure to save it and turn the alert on.

Custom Alerts

Custom alerts function in the same way as the Built-In alerts.

07cta-NewalertsAndCopyAlert

You can create a custom alert by either clicking on the +New Alert button at the top of the Alert Manager, or you by clicking Copy Alert from within an existing Built-In alert — this will create a modifiable copy for you.

You’ll next need to create a new alert name.

08cta-CreateNewAlertName

Within the new alert, you will start to configure all the characteristics documented in the Built-In alert example at the start of this page. In the Filters section, you will modify whatever the alert will be searching for.

If you have copied this alert, you will already have filter criteria populated. If you are creating a new alert from scratch, you will need to select the new filter criteria. To help, you can use the Built-In alerts as a template by selecting one from the Alert me when I see… pulldown menu.

After you’ve added any info to your alert, be sure to save it and turn the alert on.

Results

Your CloudTrail Alerts will be sent to you in the manner you have dictated (email, Slack, etc.), but CloudCheckr also provides you with a comprehensive and searchable list of all your alert results. You can find this at Security/Alerts/CloudTrail/Results.

The Alert Results screen shows you all the details regarding your triggered alerts — what happened, when, where, by whom. Within this report you can do searches, sorts, and exports of all your alert results.

11cta-AlertsResultsRaw

When you drill down into a result, you also get access to the raw JSON for the offending CloudTrail event.

As well, you can Ignore any individual event from within the Alerts Results screen. This functionality is the same as in the Ignore section within the individual alerts in Alert Manager (as shown earlier).

12cta-IgnoreConfiguration

To Summarize

The CloudTrail Alert Manager allows you to enable/disable CloudCheckr’s recommended pre-configured Built-In CloudTrail alerts, or manage your user-created Custom Alerts. Within the Built-In Alerts tab, you simply enable or disable the pre-configured alerts. You can click on any to see the specific events and parameters that will trigger the alert, as well as configure the notification method (email, SNS topic, PagerDuty, Syslog, or Slack webhook). The Built-In Alerts allow you to quickly enable alerts without having to scour through the list of events to find the correct event types for your alert.

The CloudTrail Custom Alert Builder allows you to create alerts based on all available events that are logged by the AWS CloudTrail service, including resource creation and deletion, modifications to IAM policies, and VPC reconfigurations. You can copy any pre-existing Built-In Alert and modify its parameters, or you can click the “Create New Alert” button to create an alert from scratch.
When creating CloudTrail alerts you can filter the alerts by events coming from specific AWS regions, services, or from specific IAM users. You can also only be alerted to events that occur within (or outside) of specific IP ranges, that occur against specific resources, or that contain specific Response and/or Request parameters.

This gives you total flexibility to be alerted to the precise activity that’s important to you. You also have the ability to ignore specific results to eliminate any noise, and review those ignored items later if necessary.

In addition to the notification sent when an Alert is triggered, the details of the Alert will be saved within the CloudTrail Alert Results page of your CloudCheckr account. This report offers several filtering options and the ability to choose which columns to show in the results. You can expand any alert to see further details, including the raw JSON of the CloudTrail event that triggered the alert. You also have the ability to ignore individual results.