混乱しました。AWS MCP ServersとAWS MCP Serverの違いを徹底解説
https://qiita.com/sh_fukatsu/items/93719d61d3251df07a59?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items

#qiita #AWS #Cloudtrail #MCP #SOP #MCPサーバー

Threat Hunting AWS CloudTrail: From Threat Intelligence to Proactive Risk Reduction:https://medium.com/@suryaraj78425/threat-hunting-aws-cloudtrail-from-threat-intelligence-to-proactive-risk-reduction-cc009e8801bf

#threathunting #threatintelligence #aws #cloudtrail

【AWS】CloudTrail LakeとCloudWatch Logs Insightsの使い分け方針
https://qiita.com/tsurunoqiita/items/f032287b713338f34ccb?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items

#qiita #AWS #CloudWatch #Cloudtrail #CloudWatch_Logs #CloudTrail_Lake

I wanted to automatically disable an IAM user when it does something suspicious. Since this IAM user is used by a script I know that when it deviates that is a good indicator that it was compromised and I need to investigate.

How hard could it be?

Well, it turned out to be a frustrating experience. CloudTrail records events done by users, so this should be easy to setup. But then I started to encounter problems:

* Only the first CloudTrail event is free, so I did not want to create more than one trail
* CloudTrail sends events to EventBridge but only for the current region, which is not enough

I have an organizational trail in the management account. Let's see how easy it is to send these events into a member account!

* CloudTrail can send events to a CloudWatch log then I could set up a subscription filter. This worked for a PoC but ultimately there is a limit of 2 for subscription filters for a log group. So this was a no-go
* Otherwise it writes to S3, so I had to have a Lambda reading the objects as CloudTrail writes them

At this point I had a Lambda that got all CloudTrail events and filters out the interesting ones: ones with AccessDenied error, GetCallerIdentity, and ConsoleLogin. That should be a good start.

EventBus Rules can send events based on a filter, so forwarding these events into an EventBus seems like a good idea. So so far the chain is: CloudTrail => S3 => Lambda => EventBus.

But how can I send these events to the member account? Well, an EventBus Rule, of course. So I created an EventBus in the member account.

Next issue: a CloudFormation stack can't create an EventBus Rule in a different region. Interestingly, it is possible to create *cross-account* but not cross-region. So I needed an EventBus in the target region as well and set up a Rule to forward events there.

Then the very last step is to set up a Rule to filter events for the IAM user(s) and set up a CloudWatch alarm that calls a Lambda that attaches the DenyAll policy to the user.

Since I wanted everything managed by CloudFormation I ended up with an enormous amount of stacks:

* (mgmt acc us-east-1) CloudTrail + Lambda + EventBus
* (mgmt acc us-east-1) EventBus Rule to forward events to the member account
* (member acc us-east-1) EventBus to receive events from the mgmt account
* (member acc us-east-1) EventBus Rule to forward events to the regional EventBus
* (member acc eu-west-1) The target stack with the IAM users and an EventBus to receive events to

What makes it a particularly annoying experience is that there are so many small limitations that make a simpler solution impossible:

* CloudTrail should support filtering by events so that the whole management account => member account part could be saved
* Or: the default EventBus should receive *all* CloudTrail events not just ones for the current region
* EventBus Rule should be allowed to be cross-region. That would have saved me one EventBus
* EventBridge Pipes don't support SNS as a source and also it's not clear if that supports cross-region and cross-account pipes

I wrote about my frustrations in this article: [https://advancedweb.hu/cloudtrails-horrible-developer-experience/](https://advancedweb.hu/cloudtrails-horrible-developer-experience/).

Overall, I'm fairly happy with this solution, but I feel that it would be so much easier if AWS supported some basic features around CloudTrail.

#aws #cloudtrail #eventbridge

Originally published [on my blog](https://advancedweb.hu/shorts/how-hard-it-is-to-disable-an-iam-user-when-it-does-something-suspicious/)

AWS で必要最小限の権限、を求められた時
https://qiita.com/kazuneet/items/af9e30895585bd005f6e?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items

#qiita #AWS #Cloudtrail

New AWS::CloudTrail::Dashboard

Use the Dashboard resource to specify a CloudTrail Lake custom dashboard. A custom dashboard can have up to 10 widgets. For more information, see CloudTrail Lake dashboards in the AWS CloudTrail User Guide.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-dashboard.html #cloudtrail #cloudformation

AWSコンソールのサインイン履歴を検索・抽出する
https://qiita.com/gaichi/items/9cdaa51e8cda39b8056c?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items

#qiita #AWS #glue #Cloudtrail #監査 #Athena

Detecting AWS Account Compromise: Key Indicators in CloudTrail Logs for Stolen API Keys: https://thehackernews.com/2024/08/detecting-aws-account-compromise-key.html

#aws #cloudtrail #cloudsecurity

Dotenv doesn’t work in #lamda, but because it is during init, only white page. And because it is during init, no (symfony) lig in #CloudTrail 🥳🥳 #bref #symfony #CloudWatch

Cc @beberlei @BrocksiNet thanks!

Our latest blog post provides an introduction to #AWS detection engineering. We present the main log sources #CloudTrail #FlowLogs #GuardDuty for AWS, as well as some relevant events that defenders could use to detect attackers

https://blog.sekoia.io/aws-detection-engineering/

找出任意 S3 bucket 對應的 AWS Account ID

在 Hacker News 上看到「How to find the AWS account ID of any S3 bucket (tracebit.com)」這篇，作者利用不同的額外條件，讓 S3 bucket 產生不同的 res

https://blog.gslin.org/archives/2024/02/27/11680/%e6%89%be%e5%87%ba%e4%bb%bb%e6%84%8f-s3-bucket-%e5%b0%8d%e6%87%89%e7%9a%84-aws-account-id/

#API #AWS #Cloud #Computer #Murmuring #Network #Security #Service #account #amazon #api #aws #bucket #cloud #cloudtrail #data #endpoint #id #log #policy #s3 #security #service #vpc

Updated AWS::CloudTrail::EventDataStore

If the FederationEnabled property is set to true, use the FederationRoleArn property to specify the ARN for the federation role. The federation role must exist in your account and provide the required minimum permissions.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-eventdatastore.html #cloudtrail #cloudformation

Updated AWS::CloudTrail::EventDataStore

Use the FederationEnabled property to specify whether you want to federate the event data store.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-eventdatastore.html #cloudtrail #cloudformation

Using Session Names to Log Who Deployed What in CloudTrail
~~
ACM.388 Refactoring my test script that will ultimately be used in EC2 Instances to run deployment jobs
~~
#Cloudtrail #logs #aws #namingconvention #user #process

https://medium.com/cloud-security/using-session-names-to-log-who-deployed-what-in-cloudtrail-f75778fedd60

Updated AWS::CloudTrail::EventDataStore

Use the BillingMode property to specify the billing mode to use for the event data store.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-eventdatastore.html #cloudtrail #cloudformation

Updated AWS::CloudTrail::EventDataStore InsightSelector

Use the AWS::CloudTrail::EventDataStore InsightSelector property to specify the types of Insights events you want to collect in your destination event data store. ApiCallRateInsight and ApiErrorRateInsight are valid Insights types.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudtrail-eventdatastore-insightselector.html #cloudtrail #cloudformation

Updated AWS::CloudTrail::EventDataStore

Use the InsightsDestination property to specify the ARN (or ID suffix of the ARN) of the destination event data store that logs Insights events.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-eventdatastore.html #cloudtrail #cloudformation

5 things to explore in AWS when you’re just getting started https://medium.com/ready-set-code/5-things-to-explore-in-aws-when-youre-just-getting-started-f799e95397b2
#cloudfront #s3 #monitoring #aws #cloudtrail #ux #webdev #webdevelopment #programming #dev #developer #Coding #softwaredev #iam #cloudwatch #xray #ops #devops #beginner #development #software

How to get better insight into your AWS CloudFront distributions. https://medium.com/ready-set-code/how-to-get-better-insight-into-your-aws-cloudfront-distributions-3b19dfef023f
#cloudfront #s3 #monitoring #aws #cloudtrail #ux #webdev #webdevelopment #programming #dev #developer #Coding #softwaredev #iac

Have you ever thought about querying your #CloudTrail logs using #SQL with #Athena? 🏛️

This can actually be a great idea, especially if you are managing multiple AWS accounts!

If you want to find out more, check out our latest episode of #AWS Bites 👇

https://awsbites.com/94-get-the-most-out-of-cloudtrail-with-athena/