Configure Amazon CloudTrail S3 Logging

Amazon CloudTrail Service track all activities and changes in AWS infrastructure. To track activities in all amazon regions CloudTrail can be configured to publish log files into your S3 bucket. Dhound will take the latest changes in published LogFiles and extract security events from there. More information about CloudTrail log files can be found here.

The instruction below defines the exact steps how to configure CloudTrail and organize secure access for Dhound (it will take less than a minute).

  1. Sign in to your AWS Console account.

  2. Select CloudTrail Service

  3. Select Trails and click Create trail button

  4. Setup settings for a new trail

    • Trail name: LogAwsEvents (can be any)
    • Apply trail to all regions: Yes
    • Read/Write events: Write-Only (or All)
    • Create a new S3 bucket: Yes
    • S3 bucket: <yoursystem>-cloudtrail-logs (bucket name should be universally unique, use another name if this name is busy already)

    And click "Create" button

  5. You can check Log files saved by CloudTrail, just click on S3 bucket name

  6. Please, remember at this step 2 parameters:

    • Bucket name
    • Bucket region
  7. Next step is configure safe access for Dhound which will have access only to S3 bucket in read-only state. Select My Security Credentials in the context menu by clicking on your account name in the top right corner.

    OR find IAM Service

  8. First step is to create a security policy that will allow to access only Created S3 bucket in read-only mode. Click Policies in right menu and then ‘Create Policy’ button.

  9. Click on JSON tab and specify the following (don’t set up in resources correct bucket name)

    
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "ReadonlyCloudTrailLogsBucket",
                "Effect": "Allow",
                "Action": [
                    "s3:ListBucket"
                ],
                "Resource": [
                    "arn:aws:s3:::dhound-cloudtrail-logs"
                ]
            },
            {
                "Sid": "ReadonlyCloudTrailLogsGetObject",
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject"
                ],
                "Resource": [
                    "arn:aws:s3:::dhound-cloudtrail-logs/*"
                ]
            }
        ]
    }
                    

    If you selected a prefix during CloudTrail setup, be sure to specify it:

    
    {
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Sid": "ReadonlyCloudTrailLogsBucket",
    			"Effect": "Allow",
    			"Action": [
    				"s3:ListBucket"
    			],
    			"Resource": [
    				"arn:aws:s3:::dhound-cloudtrail-logs2"
    			]
    		},
    		{
    			"Sid": "ReadonlyCloudTrailLogsGetObject",
    			"Effect": "Allow",
    			"Action": [
    				"s3:GetObject"
    			],
    			"Resource": [
    				"arn:aws:s3:::dhound-cloudtrail-logs2/myprefix/*"
    			]
    		}
    	]
    }
    
                    
  10. Specify Policy name of the next step and click Create Policy, for example, ReadOnlyAccessToCloudTrailLogs

  11. Go to the Users menu and click Add New User button

  12. Set up name of the user (dhound-read-only-cloudtrail-s3-logs) and select Programmatic access

  13. On the next step click on Attach existing policies directly tab

  14. "Add tags" form can be remained empty

  15. Success creating user page will show generated Access Key and Secret Access Key. Copy them and set up on Dhound form for registering new AWS Cloud asset.

  16. The configuration finished. Dhound should successfully start tracking security events of your Amazon Cloud infrastructure and user activities. Enjoy.

See Also