AWS CloudTrail

AWS CloudTrail is a service that enables auditing of your AWS account. With CloudTrail, you can log, monitor, and retain account activity related to actions across your AWS infrastructure. This service provides the event history of your AWS account activity, such as actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.

Amazon configuration

  1. From your AWS console, choose “CloudTrail” from the Deployment & Management section:

  2. Create a new trail:

  3. Provide a name for the new S3 bucket that will be used to store the CloudTrail logs (remember the name you provide here, you’ll need to reference it during plugin setup):

    Note

    The standard file system AWS CloudTrail will create has this structure:

    <bucket_name>/<prefix>/AWSLogs/<account_id>/CloudTrail/<region>/<year>/<month>/<day>
    

    The structure may change depending on the different configurations of the services, and the user may only change the bucket_name & prefix values.

Policy configuration

To create a policy using the Amazon Web Services console, follow the AWS documentation.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the ThreatLockDown user.

To allow an AWS user to use the module with read-only permissions, it must have a policy like the following attached:

 {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket"
             ],
             "Resource": [
                 "arn:aws:s3:::<bucket-name>/*",
                 "arn:aws:s3:::<bucket-name>"
             ]
         }
     ]
 }

If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket",
                 "s3:DeleteObject"
             ],
             "Resource": [
                 "arn:aws:s3:::<bucket-name>/*",
                 "arn:aws:s3:::<bucket-name>"
             ]
         }
     ]
 }

Note

<bucket-name> is a placeholder. Replace it with the actual name of the bucket from which you want to retrieve logs.

Once a policy has been created, there are different methods available to attach it to a user, such as attaching it directly or to a group to which the user belongs. More information on how to perform those tasks on the AWS documentation.

ThreatLockDown configuration

  1. Open the ThreatLockDown configuration file (/var/ossec/etc/ossec.conf) and add the following configuration block to enable the integration with CloudTrail:

    <wodle name="aws-s3">
      <disabled>no</disabled>
      <interval>10m</interval>
      <run_on_start>yes</run_on_start>
      <skip_on_error>yes</skip_on_error>
      <bucket type="cloudtrail">
        <name>wazuh-cloudtrail</name>
        <aws_profile>default</aws_profile>
      </bucket>
    </wodle>
    

    To monitor logs for multiple AWS accounts, configure multiple <bucket> options within the aws-s3 wodle. Bucket tags must have a type attribute which depends on the service that is monitored.

    Note

    Check the AWS S3 module reference manual to learn more about each setting.

  2. Restart ThreatLockDown in order to apply the changes:

    • If you're configuring a ThreatLockDown manager:

      # systemctl restart wazuh-manager
      
    • If you're configuring a ThreatLockDown agent:

      # systemctl restart wazuh-agent
      

CloudTrail use cases

EC2
IAM

EC2

Amazon EC2 (Elastic Compute Cloud) provides scalable computing capacity in the cloud. When using this service, it is highly recommended to monitor it for intrusion attempts or other unauthorized actions performed against your cloud infrastructure.

Below are some use cases for ThreatLockDown rules built for EC2.

Run a new instance in EC2

When a user runs a new instance in EC2 an AWS event is generated. As previously mentioned, the log message is collected by the ThreatLockDown agent, and forwarded to the manager for analysis. The following alert will be shown in the ThreatLockDown dashboard, it shows data such as instance type, the user who created it, or creation date:

When a user tries to run an instance without relevant permissions, then the following alert will be shown in Kibana:

Start instances in EC2

When an instance in EC2 is started, the following alert will be shown on the ThreatLockDown dashboard, it shows information such as the instance id and the user who started it:

If a user tries to start instances without relevant permissions the following alert will be shown on Kibana:

Stop instances in EC2

When an instance in EC2 is stopped, the following alert will be shown on Kibana:

If a user tries to stop instances without relevant permissions, the following alert will be shown on Kibana:

Create Security Groups in EC2

When a new security group is created, the following alert is shown on the ThreatLockDown dashboard. It shows information such as the user who created it and information about the security group:

Allocate a new Elastic IP address

If a new Elastic IP address is allocated, the following alert will be shown on Kibana:

Associate a new Elastic IP address

If an Elastic IP address is associated, then rule 80446 will apply, generating the corresponding alert:

IAM

AWS Identity and Access Management (IAM) log data can be used to monitor user access to AWS services and resources. Using IAM, you can create and manage AWS users and groups, and manage permissions to allow and deny their access to AWS resources.

Below are some use cases for ThreatLockDown alerts built and used for IAM events.

Create a user account

When we create a new user account in IAM an AWS event is generated. As previously mentioned, the log message is collected by the ThreatLockDown agent, and forwarded to the manager for analysis. When a user account is created, the following alert will appear on the ThreatLockDown dashboard. You can see the username of the created user and who created it:

Create a user account without permissions

If an unauthorized user attempts to create new users, the following alert will be shown in the ThreatLockDown dashboard. It will show you which user has tried to create a user account and the username it tried to create:

User login failed

When a user tries to log in with an invalid password, the following alert will be shown in the ThreatLockDown dashboard. There will be shown data such as the user who tried to log in or the browser it was using:

Possible break-in attempt

When more than 4 authentication failures occur in a 360 second time window, ThreatLockDown raises this alert:

Login success

After a successful login, the following event will be shown in the ThreatLockDown dashboard. It shows the user who logged in, the browser it used, and other useful information:

Here are the ThreatLockDown dashboard charts for IAM events:

Pie Chart

Stacked Groups