Page Comparison

Purpose

An analyst wants to detect malicious behavior in AWS.  Using the CloudTrail SQS collector, the analyst will find every management and data action taken by AWS principals.  As a result, the analyst will revoke the malicious principal’s role, preventing them from disabling cloud services.

...

1. Authorize SQS Data Access.

2. Add data to the S3 bucket.

   1. If you have an AWS organization, create a trail for the organization. Otherwise, create a trail for an AWS account. “Quick create” is not recommended.

      

   2. Name the trail Devo.

      

   3. Edit the trail.

   4. Use the existing bucket created in Step 1.
      

      

   5. Disable SSE-KMS. If you require SSE-KMS, the key resource must be added to the cross account role you crated for Devo.

      

   6. On the next screen, enable events.

      1. Management events are supported by Devo and recommended for detection of unauthorized changes to AWS resources.

      2. Data events are supported by Devo and recommended for detection of unauthorized access or modification of resources, including S3 data (cloud.aws.cloudtrail.s3) and SNS notifications (cloud.aws.cloudtrail.sns).

      3. Insights events are supported by Devo and are recommended for detecting malicious API activity and API service degradation problems (cloud.aws.cloudtrail.insights).

         

   7. Create the trail.

Run It

In the Cloud Collector App, create an SQS Collector instance using this parameters template, replacing the values enclosed in < >.

...

/*
A malicious user has disabled CloudTrail 
to hide their subsequent activity.
Identify the user.
*/

from cloud.aws.cloudtrail.cloudtrail
  where eventName = "StopLogging"

...

Monitor It

Create an inactivity alertto detect interruptions of transfer of data from the source to the SQS queue using the query

...