Post on 17-Jul-2015
transcript
Need of Audit Trail
Introduction to CloudTrail
How to Enable CloudTrail in your AWS Account
Analyzing CloudTrail using Cloudlytics
Manage Security & Compliance of your AWS Account using CloudTrail
The average cost of a
data breach in 2014 was
$3.5 Million. – Ponemon Institute
On an average,
companies are attacked
16,856 times a year, and many of
those attacks result in a
quantifiable data
breach. – IBM Security Services
“In the average attack, you get
90% of the data you want
in like nine hours, and yet most
of the companies don't find out
for three to four months.” – John Chambers, CEO (CISCO)
Manage Security & Compliance of your AWS Account using CloudTrail
“There is no data center or network in the
world that hasn't been hacked. If you
watched the number of attacks, they're
going up exponentially this year (2015),
this year's going to be
much worse than last
year.”
- John Chambers, CEO (CISCO)
Manage Security & Compliance of your AWS Account using CloudTrail
92% of data breaches can be
described by just nine distinct
patterns. —Verizon, (2014 Data Breach Investigations Report)
43% of C-level executives
say negligent insiders are the
greatest threat to sensitive data. — IBM Services
Manage Security & Compliance of your AWS Account using CloudTrail
An Audit Trail is a security-relevant
chronological record, set of records, and/or
destination and source of records that provide
documentary evidence of the sequence of
activities that have affected at any time a
specific operation, procedure, or event. Audit
records typically result from activities such as
financial transactions, scientific research and
health care data transactions, for
communications by individual people, systems,
accounts, or other entities.
Manage Security & Compliance of your AWS Account using CloudTrail
Ensure
Security
Maintain
Individual
Accountability
Recreate Events
Detect Intrusions
Analyze Errors
Manage Security & Compliance of your AWS Account using CloudTrail
AWS CloudTrail is a web service that records AWS
API calls for your account and delivers log files to
you. The recorded information includes the identity of
the API caller, the time of the API call, the source IP
address of the API caller, the request parameters,
and the response elements returned by the AWS
service.
CloudTrail
Manage Security & Compliance of your AWS Account using CloudTrail
Manage Security & Compliance of your AWS Account using CloudTrail
Tokyo
Sydney
Singapore
Frankfurt Ireland Sao Paulo Northern
Virginia
GovCloud Northern
California Oregon
Manage Security & Compliance of your AWS Account using CloudTrail
Administration & Security • AWS IAM
• AWS CloudWatch
• AWS Key Management Service
• AWS Security Token
• AWS CloudHSM
• AWS Config
Analytics • Amazon EMR
• Amazon Kinesis
• AWS Data Pipeline
Application Services • Amazon SQS
• Amazon SWS
• Amazon Elastic Transcoder
• Amazon CloudSearch
Deployment & Management • AWS Elastic Beanstalk
• AWS OpsWorks
• AWS CloudFormation
• AWS CodeDeploy Database
• Amazon RDS
• Amazon ElastiCache
• Amazon Redshift
Compute • Amazon EC2
• Auto Scaling
• ELB
Enterprise Applications • Amazon WorkDocs
Mobile Services • Amazon SNS
Networking • Amazon VPC
Storage & Content Delivery
• AWS Storage Gateway
• Amazon Glacier
• Amazon CloudFront
• Amazon Elastic Block Storage (EBS)
Manage Security & Compliance of your AWS Account using CloudTrail
Successful requests to AWS Services
Time of Request
User Identity
Access Keys being Used
Request Response
AWS Identity and Access Management is a web
service that enables AWS customers to manage users
and user permissions in AWS.
Manage Security & Compliance of your AWS Account using CloudTrail
Amazon Elastic Compute Cloud (Amazon EC2)
provides resizable compute capacity in the cloud. It is
designed to make web-scale cloud computing easier
for developers and allow them to obtain and configure
capacity with minimal issues.
Manage Security & Compliance of your AWS Account using CloudTrail
Manage Security & Compliance of your AWS Account using CloudTrail
{ "Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-03-06T21:01:59Z", "eventSource": "ec2.amazonaws.com", "eventName": "StopInstances", "awsRegion": "us-west-2", "sourceIPAddress": "205.251.233.176", "userAgent": "ec2-api-tools
1.6.12.2", "requestParameters": { "instancesSet": { "items": [{ "instanceId": "i-ebeaf9e2" }] }, "force": false }, "responseElements": { "instancesSet": { "items": [{ "instanceId": "i-ebeaf9e2", "currentState": { "code": 64, "name": "stopping" }, "previousState": { "code": 16, "name": "running" } }] } } },
Who initiated an Action?
Time of the Action?
What Action was taken?
Where was the Action performed?
Manage Security & Compliance of your AWS Account using CloudTrail
Manage Security & Compliance of your AWS Account using CloudTrail
HIPAA Section 164.312(1)(b) - Audit controls
(required), which states organizations must “Implement
hardware, software, & procedural mechanisms that record &
examine activity in information systems that contain or use
electronic protected health information.”
PCI DSS - Requires user logon and log off events to
be recorded as part of the "follow the user requirement".
Overview
Report
Manage Security & Compliance of your AWS Account using CloudTrail
User Audit
Report
EC2 Activity
Report
Custom
Report
Manage Security & Compliance of your AWS Account using CloudTrail
Top 5 Users
Top 5 Services
Top 5 IP Addresses
Top 5 Access Keys
Unauthorized
Accesses Location
Manage Security & Compliance of your AWS Account using CloudTrail
List of Instances Instance Related
Activities
User Access Patterns Errors
Manage Security & Compliance of your AWS Account using CloudTrail
List of Users User Related Activities
User Access Patterns Geographic Locations
Access Keys Used
Manage Security & Compliance of your AWS Account using CloudTrail
Generate your
own Report
Define a Query
Generate Report
Create a New User from the IAM Console
Set the User Policy
Grant access of the logs containing S3 bucket to
Cloudlytics
Manage Security & Compliance of your AWS Account using CloudTrail
Register with Cloudlytics
Configure CloudTrail
Manage Security & Compliance of your AWS Account using CloudTrail
Start Analyzing AWS Logs