Automatically generated based on tag:

TitleTypeSummary
Basic security review Page The AWS account state and configuration (IAM users, users access keys, IAM roles and policies, compute instances, storage objects, etc.) can be reviewed manually using the AWS CLI utility or in a more automated fashion using third-party tools such as Scout Suite.
CloudTrail logs Page CloudTrail events share a common log schema, that notably includes the following fields of interest:

- eventTime: event timestamp in UTC.

- awsRegion: AWS region the request was made to.

- eventSource: the service the request was made to.

- eventName: the request action, matching one of the AWS API for that service.

- readOnly: whether the operation induced a change.

- userIdentity: information about the principal that made the request.

- sourceIPAddress: the IP address that the request was made from (or name of the service for internal operations).

- userAgent: the User-Agent associated with the request.

- sessionCredentialFromConsole: whether the operation was conducted through the web console.

- resources: a list of resource(s) accessed / impacted by the operation.

- requestParameters: the parameters, if any, of the request.

- responseElements: the response element(s) for actions that make changes.

CloudTrail events can thus be grouped by their originating AWS service / product (such as iam.amazonaws.com, ec2.amazonaws.com, s3.amazonaws.com, etc.) or principal (for instance a compromised long-term credentials / key of an IAM user).
Logs overview Page A number of log sources are available in AWS, that can be useful for incident response purposes:

- CloudTrail: logs management operations made in the AWS account through Amazon Management Console actions and API calls. CloudTrail is enabled by default.

- CloudWatch: logs system performance metrics such as CPU usage, filesystem or network inputs/outputs, etc. Some AWS products automatically push metrics to CloudWatch (for free), while other services may require additional configuration to push metrics.

- AWS Config: records the configuration state of a number of resources in the AWS account, either periodically or continuously on configuration item change. AWS Config is not enabled by default.

- S3 Access Logs: logs bucket-level activities, i.e. access, upload, modification, and deletion of data stored in a S3 bucket. S3 Access Logs are not enabled by default and must be enabled on a per bucket basis.

- VPC Flow Logs: logs VPC-level IP network traffic. Different version of VPC Flow Logs, 2 to 5 to date, can be enabled with higher versions recording an increased number of fields per record. VPC Flow Logs are not enabled by default and must be enabled either at the VPC, subnet, or Elastic Network Interfaces level.

- WAF Logs: logs requests processed by the AWS WAF service.
Logs search and collection tools Page CloudTrail logs can be collected in specific region or across all regions using third-party tools, such as Invictus-AWS.


View on GitHub