JoeHack3r

Eat like a bird, and poop like an elephant --Japanese philosopher

Analyzing CloudTrail Data Using SumoLogic



Recently, Amazon Web Services let users know if their accounts were compromised by having access key id and secret access key publicly available on sites like GitHub. If this happened to you or made you wonder about the security of your access keys, there is a service you need to be using: CloudTrail.

AWS offers CloudTrail to provide a history of AWS API calls for your account.

  • Not sure if an account is still being used? CloudTrail can help.
  • Not sure what permissions an account needs? CloudTrail can help.
  • Want to know where access is coming from? CloudTrail can help.

CloudTrail saves API log data in an S3 bucket which can be analyzed using products like SumoLogic, Splunk, etc. I am most familiar with SumoLogic and created this video to help you get started using CloudTrail and SumoLogic. A couple of notes before watching the video. First, watch out for the Source Category name. It must be AWS_EAGLE for the logs to be parsed properly.

In the video, I mention if you are using an existing bucket, the bucket policy will need to be edited. More specifically, the steps outlined in the AWS Cloud Trail User Guide need to be followed.

As for the IAM user created for SumoLogic to access the S3 bucket, here is that for your reference:

IAM User Policy for Access to CloudTrail bucket
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:ListBucket",
        "s3:ListBucketVersions"
      ],
      "Resource": [
        "arn:aws:s3:::myBucketName",
        "arn:aws:s3:::myBucketName/*"
      ]
    }
  ]
}

Finally, here are some CloudTrail-SumoLogic searches to help you get started:

SumoLogic CloudTrail search - good first search
1
2
3
4
5
6
7
8
9
10
//What are the most frequent userName, eventName, userAgent, IPAddress, accessKey combinations
_sourceCategory=AWS_EAGLE |
parse "\"accessKeyId\":\"*\"" as accessKey |
parse "\"userName\":\"*\"" as userName |
parse "\"sourceIPAddress\":\"*\"" as IPAddress |
parse "\"userAgent\":\"*\"" as userAgent |
parse "\"eventSource\":\"*\"" as eventSource |
parse "\"eventName\":\"*\"" as eventName |
count as count by userName, eventName, userAgent, IPAddress, accessKey |
order by count, userAgent, IPAddress
SumoLogic CloudTrail search - any suspect IPs
1
2
3
4
5
6
7
8
9
10
//What IP addresses are the requests coming from?
_sourceCategory=AWS_EAGLE |
parse "\"accessKeyId\":\"*\"" as accessKey |
parse "\"userName\":\"*\"" as userName |
parse "\"sourceIPAddress\":\"*\"" as IPAddress |
parse "\"userAgent\":\"*\"" as userAgent |
parse "\"eventSource\":\"*\"" as eventSource |
parse "\"eventName\":\"*\"" as eventName |
count as count by IPAddress |
order by count, userName
SumoLogic CloudTrail search - look for errors
1
2
3
4
5
6
7
8
9
10
11
//Looking for errors
_sourceCategory=AWS_EAGLE errorCode |
parse "\"accessKeyId\":\"*\"" as accessKey |
parse "\"errorCode\":\"*\"" as errorCode |
parse "\"userName\":\"*\"" as userName |
parse "\"sourceIPAddress\":\"*\"" as IPAddress |
parse "\"userAgent\":\"*\"" as userAgent |
parse "\"eventSource\":\"*\"" as eventSource |
parse "\"eventName\":\"*\"" as eventName |
count as count by userName, eventName, userAgent, errorCode, IPAddress, accessKey |
order by count, userAgent, IPAddress
SumoLogic CloudTrail search - search for specific key
1
2
3
4
5
6
7
8
9
10
11
//Looking for specific key: AKIAACDEFGHIJKLMNOP
_sourceCategory=AWS_EAGLE
AND "\"accessKeyId\":\"AKIAABCDEFGHIJKLMNOP\"" |
parse "\"accessKeyId\":\"*\"" as accessKey |
parse "\"userName\":\"*\"" as userName |
parse "\"sourceIPAddress\":\"*\"" as IPAddress |
parse "\"userAgent\":\"*\"" as userAgent |
parse "\"eventSource\":\"*\"" as eventSource |
parse "\"eventName\":\"*\"" as eventName |
count as count by userName, accessKey, IPAddress |
order by userName
SumoLogic CloudTrail search - ignore specific userName
1
2
3
4
5
6
7
8
9
10
11
//Not my IAM DataDog user
_sourceCategory=AWS_EAGLE
AND !"\"userName\":\"DataDog\"" |
parse "\"accessKeyId\":\"*\"" as accessKey |
parse "\"userName\":\"*\"" as userName |
parse "\"sourceIPAddress\":\"*\"" as IPAddress |
parse "\"userAgent\":\"*\"" as userAgent |
parse "\"eventSource\":\"*\"" as eventSource |
parse "\"eventName\":\"*\"" as eventName |
count as count by userName, accessKey, IPAddress |
order by userName


References: https://support.sumologic.com/entries/30216746-Sumo-Logic-App-for-AWS-CloudTrail

Comments