AWS CloudTrail provides comprehensive logging of API calls and events across your AWS infrastructure. Combined with CloudWatch, EventBridge, and Security Hub, it forms the foundation of AWS security monitoring. This guide covers implementing effective audit logging and threat detection.
Effective security monitoring requires collecting the right data, storing it securely, and analyzing it for threats. CloudTrail captures who did what, when, and from where, enabling incident investigation and compliance auditing.
CloudTrail Configuration
resource "aws_cloudtrail" "main" {
name = "organization-trail"
s3_bucket_name = aws_s3_bucket.cloudtrail.id
include_global_service_events = true
is_multi_region_trail = true
is_organization_trail = true
enable_log_file_validation = true
kms_key_id = aws_kms_key.cloudtrail.arn
event_selector {
read_write_type = "All"
include_management_events = true
data_resource {
type = "AWS::S3::Object"
values = ["arn:aws:s3"]
}
}
insight_selector {
insight_type = "ApiCallRateInsight"
}
}CloudWatch Alarms
resource "aws_cloudwatch_log_metric_filter" "root_login" {
name = "root-account-usage"
pattern = "{ $.userIdentity.type = Root }"
log_group_name = aws_cloudwatch_log_group.cloudtrail.name
metric_transformation {
name = "RootAccountUsage"
namespace = "SecurityMetrics"
value = "1"
}
}
resource "aws_cloudwatch_metric_alarm" "root_login" {
alarm_name = "root-account-usage"
comparison_operator = "GreaterThanThreshold"
evaluation_periods = 1
metric_name = "RootAccountUsage"
namespace = "SecurityMetrics"
period = 300
statistic = "Sum"
threshold = 0
alarm_actions = [aws_sns_topic.security.arn]
}EventBridge Rules
resource "aws_cloudwatch_event_rule" "security_group_change" {
name = "security-group-changes"
description = "Detect security group modifications"
event_pattern = jsonencode({
source = ["aws.ec2"]
detail-type = ["AWS API Call via CloudTrail"]
detail = {
eventSource = ["ec2.amazonaws.com"]
eventName = ["AuthorizeSecurityGroupIngress", "RevokeSecurityGroupIngress"]
}
})
}
resource "aws_cloudwatch_event_target" "security_group_change" {
rule = aws_cloudwatch_event_rule.security_group_change.name
target_id = "send-to-sns"
arn = aws_sns_topic.security.arn
}Security Hub Integration
resource "aws_securityhub_account" "main" {}
resource "aws_securityhub_standards_subscription" "cis" {
standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.4.0"
depends_on = [aws_securityhub_account.main]
}GuardDuty
resource "aws_guardduty_detector" "main" {
enable = true
datasources {
s3_logs { enable = true }
kubernetes { audit_logs { enable = true } }
malware_protection {
scan_ec2_instance_with_findings {
ebs_volumes { enable = true }
}
}
}
}Log Analysis Queries
# CloudWatch Logs Insights - Failed console logins
fields @timestamp, userIdentity.userName, sourceIPAddress
| filter eventName = "ConsoleLogin" and responseElements.ConsoleLogin = "Failure"
| sort @timestamp desc
| limit 100Best Practices
- Enable CloudTrail in all regions
- Use organization trails for multi-account
- Enable log file validation
- Encrypt logs with KMS
- Enable CloudTrail Insights
- Create alarms for critical events
- Integrate with Security Hub
- Enable GuardDuty for threat detection
- Retain logs for compliance requirements
- Regularly review and analyze logs
Conclusion
Comprehensive security monitoring with CloudTrail, CloudWatch, and GuardDuty provides visibility into your AWS environment. By implementing proper logging, alerting, and analysis, you can detect and respond to security threats effectively.
