Aggregate CloudTrail Collection in CloudCheckr

AWS allows you to combine CloudTrail log files from multiple AWS accounts into a single S3 bucket using a Multi-Account View (MAV).

With a MAV, you can view the details and events from these aggregated CloudTrails.  CloudCheckr will also automatically filter the events from the MAV into your standard accounts.
You must use a MAV in CloudCheckr to process aggregated CloudTrail log files.

Procedure

  1. Load or create the MAV you want to configure from your list of MAVs.
  2. From the left navigation pane, choose Security > Activity Monitoring > AWS API (CloudTrail) > Aggregated S3 Buckets > Configure.

    The Edit AWS Aggregated CloudTrail Credentials And Buckets page opens.

  3. Click + Add S3 bucket.

    The New Cloud Aggregate Credential dialog box opens.

  4. In the Name of the S3 Bucket storing the Aggregate CloudTrail text field, type the name of the S3 bucket where you are storing your aggregate CloudTrail log files.
  5. Type the access key and secret key of the IAM user who has permissions to access the S3 bucket that contains the aggregate CloudTrail logs and click Add.

    The IAM user must exist in the same AWS account as the S3 aggregated bucket.

    If you don't have an IAM user with an access key and secret key, there are instructions for creating it here.

    For the Aggregated CloudTrail S3 Bucket access, the IAM user policy only needs the following permissions:

    {    "Version": "2012-10-17",    "Statement": [        {            "Action": [                "s3:ListAllMyBuckets",                "s3:List*"            ],            "Effect": "Allow",            "Resource": "*"        },        {            "Action": [                "s3:GetObject",                "s3:GetBucketLocation"            ],            "Effect": "Allow",            "Resource": [                "arn:aws:s3:::NAME-OF-CLOUDTRAIL-BUCKET*",                "arn:aws:s3:::NAME-OF-CLOUDTRAIL-BUCKET/*",                "arn:aws:s3:::NAME-OF-CLOUDTRAIL-BUCKET"            ]        },        {            "Action": [                "iam:GetUser"            ],            "Effect": "Allow",            "Resource": "*"        }    ]}
    CloudCheckr recommends restricting the s3:GetObject permission to only the s3 bucket with CloudTrail data.

  6. Click Update.

    CloudCheckr will now begin to download the CloudTrail data from that S3 bucket. Once it's complete, you can use the CloudTrail events report in this MAV to explore the CloudTrail data.

Understanding Your Aggregate CloudTrail Collection

Aggregate CloudTrail is an enterprise-scalable model that enables security administrators to report on and audit all the CloudTrail data in their deployment while providing account owners access and control over their CloudTrail data. You will have the ability to see, identify, and search for any CloudTrail event in any log in any account.

Why Do Admins and Account Owners Share Access to Data?

As an administrator, you have access to every single CloudTrail event when you set up aggregate CloudTrail. Every AWS account will potentially have multiple trails, one per region, and if you have many accounts, this is a huge amount of data.

The CloudTrail reports provides you with the searching, filtering, auditing, and functionality to conduct forensics on any actions.

The next step is to create CloudTrail Alerts so that CloudCheckr can inform you of any actions, such as Security Group changes or Unauthorized Access Attempts, which may be potentially harmful.

You can use the built-in alerts to secure your cloud deployment or create custom alerts as your deployment becomes more sophisticated.

Any CloudTrail alert that you create for an account will also be seen by the account owner; likewise, any alert they create will be seen by you. Account owners can only create alerts in their accounts.

This feature allows you to have a centralized place for access and control while providing access to your users.

How did we do?