Updated AWS::CloudTrail::EventDataStore

Use the IngestionEnabled property to specify whether you want the event data store to ingest events.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-eventdatastore.html #cloudtrail #cloudformation

#AWS #organizations #demo #project update from Maolte Technical Solutions Limited. #security #hub findings down to 9 with 2nd #cloudtrail and several #metrics running off key #filters in #cloudwatch, which are now have an #alarm. Do stay tuned for developments towards the end of the week... #awscommunity #cloudinfrastructure #cloud

SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft

#SCARLETEEL #cyberattack #dataleak #databreach

#container #Terraform #Kubernetes #AWS #CloudTrail #cybersecurity

https://sysdig.com/blog/cloud-breach-terraform-data-theft/

#AWS #organizations #demo #project making progress on org wide #service #configuration. I solved the #encryption issue from yesterday and have #cloudtrail #insights org-wide now set up in a robust configuration that complies with project requirements. It's a useful tool to develop once insights start to register, which is why creating an #SNS topic made sense. Stay tuned for updates... #cloudinfrastructure #cloudarchitecture

That's a wrap for the day on my #aws #organizations #demo #project. I ran into #configuration problems around #aws #cloudtrail #sns and #s3 when configuring #aws #cloudtrail #insights. Got it and will check it tomorrow before I take a few hours away from the office.

New AWS::CloudTrail::ResourcePolicy.ResourcePolicy

Use the ResourcePolicy property to specify the JSON-formatted string that contains the resource-based policy to attach to the CloudTrail channel.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudtrail-resourcepolicy-resourcepolicy.html #cloudtrail #cloudformation

New AWS::CloudTrail::ResourcePolicy.ResourceArn

Use the ResourceArn property to specify the Amazon Resource Name (ARN) of the CloudTrail channel attached to the resource-based policy. The following is the format of a resource ARN: arn:aws:cloudtrail:us-east-2:123456789012:channel/MyChannel.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudtrail-resourcepolicy-resourcearn.html #cloudtrail #cloudformation

New AWS::CloudTrail::ResourcePolicy

Use the ResourcePolicy resource to attach a resource-based permission policy to a CloudTrail channel that is used for an integration with an event source outside of AWS. For more information about resource-based policies, see CloudTrail resource-based policy examples in the CloudTrail User Guide.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-resourcepolicy.html #cloudtrail #cloudformation

Analyzing CloudTrail Requests Related to SCPs: ACM.140 Trying to figure out conditions and ARNs to create a delegated administrator for SCPs
~~~~
by Teri Radichel | Jan 25, 2023
#cloudtrail #scp #iam #delegatedadministrator #cloudsecurity #governance

https://medium.com/cloud-security/analyzing-cloudformation-requests-related-to-scps-7cd8647d1a07

#AWS - Patches bypass bug in #CloudTrail API monitoring tool

https://portswigger.net/daily-swig/aws-patches-bypass-bug-in-cloudtrail-api-monitoring-tool

"AWS CloudTrail vulnerability: Undocumented API allows CloudTrail bypass"

https://securitylabs.datadoghq.com/articles/iamadmin-cloudtrail-bypass/

#security #aws #cloudtrail

#aws folks: check out this now-fixed vulnerability that someone found by observing AWS account traffic and parsing it. #iam #iamadmin #cloudtrail https://securitylabs.datadoghq.com/articles/iamadmin-cloudtrail-bypass/

Many #CSPM and #CIEM use-cases rely on #AWS #CloudTrail. A good audit trail captures sufficient information about WHO, WHAT, WHEN and WHERE. If any of these are missing or lacking in details, it becomes a nightmare to glue things together. I spent a decent amount of time analyzing CT. Lets check how good AWS CloudTrail is!

#CSPM #CIEM #AWS #CloudTrail #IAM

https://medium.com/@seshu/aws-cloudtrail-the-good-the-bad-and-the-ugly-b314c32138d9

@dob That's a big scope.

Some things we do to make our lives easier and doesn't cost $$$.

Enable #guardduty and pipe all the alerts into a slack channel (+email as well).

Enable #cloudtrail log everything to an #S3 bucket in another account. #cloudwatch alerts on auth failures (to slack + email (some go to pagerduty #infosec contact).
We also have some alerts on updates when a cidr is added to a #SecurityGroup.

Don't use #ssh or #bastion/#JumpHosts use #ssm to run automations on the hosts (package install, service restarts etc) also to get a shell on a box (if needed at all). (you can use #TransitiveTags with #RoleAssumption to give granular access).
Using #ssm for console access also logs the entire session (including someone doing sudo su - root etc!) into #S3

Use #MicroSegmentation within our #vpc. Instances behind an #alb will only accept traffic from the #alb #SecurityGroup etc.. #rds, #elasticache willl only accept traffic from instances in the appropriate #SecurityGroup. (Basically we don't use cidr ingress rules, we use security group ids) (this works across accounts in the same region with peering, but not across regions however).

#aws

I started visualising my #CloudTrail events on #AWS using #ElasticSearch. I blogged about it and put the code on Github.
Blog post: https://blog.paco.to/2019/cloudtrail-to-elasticsearch/
GitHub: https://github.com/pacohope/cloudtrail-logs-to-AWS-Elasticsearch-Service

I have to admit, once I got #kibana and #elk running in my #aws account, I just had to Log All The Things. Got some great ability to analyse #CloudTrail out of it.