Aggregate CloudTrail Collection in CloudCheckr

Configuring Aggregate CloudTrail Collection in CloudCheckr

AWS allows you to combine CloudTrail log files from multiple AWS accounts into a single S3 bucket. Using CloudCheckr’s Multi-Account View, you can view the details and events from these aggregated Trails.  CloudCheckr will also automatically funnel the events down from the Multi-Account View into the general accounts, if they have been added to CloudCheckr.

Note: You must use a multi-account view in CloudCheckr to process aggregated CloudTrail log files.

To configure your CloudCheckr Multi-Account View to retrieve the log files from your AWS aggregated S3 bucket, follow these steps:

1 – Load (or create) the Multi-Account View you would like to configure from your list of Multi-Account Views.

2 – In the left-hand menu of reports, select Security > Activity Monitoring > AWS API (CloudTrail) > Aggregated S3 Buckets > Configure

3 – Within the “Name of the S3 Bucket storing the Aggregate CloudTrail data” text box enter the exact name of the S3 bucket where your aggregate CloudTrail log files are being stored.

CT-AGG-Buck

4 – Enter the Access Key and Secret Key from an IAM user that has permissions to access the S3 bucket storing the aggregate CloudTrail logs.
NOTE: The IAM user must exist in the same AWS account as the S3 aggregated bucket.

CT-AGG-Keys

If you don’t have an IAM user with an Access Key and Secret Key, there are instructions for creating it here: https://support.cloudcheckr.com/getting-started-with-cloudcheckr/adding-credentials-in-cloudcheckr/creating-an-aws-user-group-and-policy/.  Also, please note that for Aggregated CloudTrail S3 Bucket Access described in this article, the IAM user policy that you create via the above-linked instructions needs to only have the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "iam:GetUser",
                "s3:GetObject",
                "s3:List*"
            ], 
            "Effect": "Allow",
            "Resource": "*" 
        } 
    ] 
}

5 – Click the Update button.

That’s it! CloudCheckr will now begin downloading the Trail data from that S3 bucket. Once that’s finished you can use the CloudTrail events report within this Multi-Account View to explore the Trail data.

 

 

Understanding Your Aggregate CloudTrail Collection

Aggregate CloudTrail is an enterprise-scalable model that will security admins to report on and audit all the CloudTrail data throughout their deployment, while also allowing individual account owners access and control over their own CloudTrail data. You will have the ability to see, identify, and search for any CloudTrail event in any log in any account, all with rich metadata for conducting your forensics.

So, Admins and Standard Accounts Have Shared Access to the CloudTrail Data —  Why Is This Important?

 

When you set up aggregate CloudTrail, you as the admin have access to every single CloudTrail event. Every AWS account will potentially have multiple trails (one per region) and if you have many accounts, this is a huge amount of data. The CloudTrail reports enable you the searching/filtering/auditing functionality to conduct forensics on any actions.

However, the next step is to create CloudTrail Alerts so that you can be alerted of any actions (such as Security Group changes, Unauthorized Access Attempts, etc.) that you consider dangerous. By leveraging CloudCheckr’s Built-In Alerts, you have a large template set to secure your management plane, because you are able to apply these alerts to any of the possibly thousands of AWS accounts in your deployment. You are then able to create custom alerts as your deployment becomes more sophisticated.

Further, when you want your account owners to have control to see their own CloudTrail events — and more importantly, create their own CloudTrail Alerts — that is possible. Any CloudTrail Alert that you create for an account will be seen by the account owner; likewise any alert they create will be seen by you. Account owners can only create alerts in their own accounts.

This organizational dynamic radically eases the security management aspect of your AWS deployment because you have both one centralized place for access and control (for you) and proper individualized access for your users.

To get more info, please click on the links below:

An explanation of all of CloudCheckr’s CloudTrail reports is here.

An explanation of CloudCheckr’s CloudTrail Alerts feature is here.

An explanation of using CloudTrail Alerts to call AWS Lambda functions is here.