Open in app

Sign in

Write

Sign in

Using CloudTrail Logs to Detect Security Threats: Techniques and Queries for Unusual Resource Access Patterns, Failed Login Attempts, and More

Prathamesh Ghumade
12 min readJan 12, 2023

--

Amazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS accounts. CloudTrail logs all AWS Management Console sign-in events, AWS SDKs and command-line tool calls, and calls made to the AWS APIs by using the AWS Management Console, AWS SDKs, command-line tools, and other software.

By using CloudTrail, you can detect unusual activity in your AWS environment, such as unexpected changes to security groups or IAM users, as well as identify potential security threats. For example, you can use CloudTrail to detect and respond to unauthorized access attempts, unauthorized changes to resources, or suspicious activity in your AWS accounts. Additionally, CloudTrail can be used to create audit trails of resource changes and to ensure compliance with internal policies and industry regulations.

When using AWS CloudTrail, it can be helpful to import certain types of logs in order to perform security analysis. The following are some examples of logs that can be useful for security analysis:

  1. CloudTrail Event Logs: These logs record all API calls made to the AWS account, including all actions taken by the caller, the service, and the time of the call, this information can help you to detect and analyze unusual activity on your accounts and services.
  2. VPC Flow Logs: These logs record information about the IP traffic flowing in and out of a virtual private cloud (VPC), including the source and destination IP, ports, and protocols. This information can be used to detect unusual traffic patterns and potential security threats.
  3. CloudWatch Logs: These logs record information about the performance and operational activity of your AWS resources. CloudWatch logs can help you troubleshoot issues, identify errors, and monitor performance.
  4. S3 Access Logs: These logs record all requests made to your S3 buckets, including the caller, request, and response. This information can be used to monitor access to sensitive data and detect suspicious activity.
  5. Config Logs: These logs record information about the configuration of your AWS resources and can help you identify security-related misconfigurations.
  6. Identity and Access Management (IAM) Logs: These logs record information about user authentication and authorization. This information can help you detect unusual activity and ensure that only authorized users have access to your resources.
  7. CloudFront access logs: This records all requests made to your CloudFront distributions, including the viewer’s IP address, the request and response headers, and other information, this information can be used to monitor access to CloudFront content and detect suspicious activity.
  8. Elastic Load Balancing (ELB) Access Logs: These logs record all requests made to an Elastic Load Balancer, including the client and server IPs, request and response headers, and other information. This information can be used to monitor access to your load balancer and detect suspicious activity.
  9. CloudFormation Logs: This service records all CloudFormation events related to the creation, update, and deletion of CloudFormation stacks and resources. This information can be used to monitor changes to your infrastructure, detect misconfigurations and possible security vulnerabilities.
  10. CloudFront distribution/origin access logs: This records all requests made to your CloudFront distributions, it includes information such as the viewer’s IP address, the request and response headers, and other information. This log can be used to monitor access to CloudFront content and detect suspicious activity.
  11. AWS WAF Logs: These logs record information about the requests that are blocked or allowed by AWS WAF. This information can be used to monitor the traffic patterns to and from your web applications, identify malicious traffic, and fine-tune the rules of your WAF to improve security.
  12. GuardDuty Logs: These logs record information about potential security threats and anomalies detected by AWS GuardDuty. This information can be used to detect and respond to potential security threats, such as unauthorized access, data exfiltration attempts, and malware infections.
  13. CloudFront access logs: This records all requests made to your CloudFront distributions, including the viewer’s IP address, the request and response headers, and other information. This information can be used to monitor access to CloudFront content and detect suspicious activity.
  14. Elastic Block Store (EBS) Snapshot Logs: These logs record all snapshots created, copied, or deleted for EBS volumes. These logs can be used to track any unauthorized access, deletion, or modifications of data.
  15. Route53 Logs: These logs record all queries made to Route53 and the responses from Route53, this information can help identify any potential DDoS attack, or any other malicious query.
  16. AWS Certificate Manager (ACM) Logs: These logs record all operations made to ACM, including the issuance, renewal, and revocation of certificates. This information can help you track any unauthorized access, deletion, or modifications of data.
  17. Elasticsearch Logs: These logs record all operations made to Elasticsearch such as index, search and delete. This information can be used to track any unauthorized access, deletion, or modifications of data.
  18. RDS Logs: These logs record all the activity happening within a RDS instance, including connections, queries and other activity. This information can be used to track any unauthorized access, deletion, or modifications of data.
  19. AWS Direct Connect Logs: These logs record all the activity happening over Direct Connect, including connections, data transfer and other activity. This information can be used to track any unauthorized access, misuse, or data exfiltration over Direct Connect.
  20. EC2 Instance Metadata and User Data Logs: These logs record all the metadata and user-data associated with an EC2 instance. This information can be used to track any modifications or misuse of the metadata and user-data, it also can be used to detect malicious code, or configs that were injected into the instance.
  21. AWS Elastic Beanstalk Logs: These logs record all the activity happening within Elastic Beanstalk, including deployments, scaling, and environment events. This information can be used to track any unauthorized access, deletion, or modifications of data, also it can be used to detect any issues with the application deployment process.
  22. AWS CloudFormation Stack Event Logs: These logs record all the CloudFormation events associated with a stack, such as stack creation, updates and deletion. This information can be used to track any unauthorized access, deletion, or modifications of CloudFormation templates or stack data.
  23. AWS Elasticsearch Service Domain Logs: These logs record all the activity happening within Elasticsearch domain, including index, search, and delete operations. This information can be used to track any unauthorized access, deletion, or modifications of data.
  24. AWS IoT Device Logs: These logs record all the activity happening within IoT devices, including device connections, messages, and other activity. This information can be used to track any unauthorized access, deletion, or modifications of data, also it can be used to detect any abnormal activity on the device side.
  25. AWS Glue Job and Crawler Logs: These logs record all the activity happening within Glue, including the execution and status of Glue jobs and Crawlers. This information can be used to track any unauthorized access, deletion, or modifications of data and also detect any issues with the Glue job or Crawler execution process.

These are just a few examples of the various logs that can be used to help secure your cloud infrastructure. It’s crucial to regularly review these logs, set up automated alerts for suspicious activity, and perform data analysis to detect any potential security issues. The right combination of logs will be different for every organization, but having a log management strategy that includes a variety of logs and logs from all the layers of infrastructure, would allow you to have a complete view of what’s happening in your cloud environment, which will help you identify and respond to security threats more effectively.

When using AWS CloudTrail, it can be helpful to configure certain security queries in order to analyze and identify potential security issues. Here are a few examples of security queries that can be configured on CloudTrail logs:

  1. Unusual resource access patterns: This query can be used to identify unusual patterns of resource access, such as frequent access to sensitive resources or access from unusual IP addresses. This information can be used to detect and investigate potential security threats, such as unauthorized access or data exfiltration attempts.
  2. Failed login attempts: This query can be used to identify a large number of failed login attempts to your AWS account. This information can be used to detect and investigate potential brute force attacks.
  3. Modification of security group and network ACLs: This query can be used to identify changes made to security groups and network ACLs. This information can be used to detect any unauthorized modification on those critical resources, which could lead to a security vulnerability.
  4. Suspicious API calls: This query can be used to identify suspicious API calls, such as those made from unusual IP addresses, or those that involve high-risk actions, such as modifying IAM policies or creating new security groups.
  5. Unusual activity on specific resources: This query can be used to identify unusual activity on specific resources, such as unexpected data deletion, or suspicious access to sensitive data. This information can be used to detect and investigate potential security threats.
  6. Root account activity: This query can be used to identify activity that occurs using the root account, which is unusual and should be investigated.
  7. Changes in CloudTrail Configuration: This query can be used to identify changes to the CloudTrail configuration, such as disabling CloudTrail, changing S3 bucket settings, or altering the CloudTrail configuration. This information can be used to detect and investigate potential attempts to evade monitoring.
  8. Sensitive information in S3 bucket access: This query can be used to identify access to sensitive data stored in S3 buckets, such as personally identifiable information (PII) or financial data. This information can be used to detect and investigate potential data breaches or data exfiltration attempts.
  9. Use of a specific IAM user/role: This query can be used to track the usage of specific IAM user or role, such as detecting an unusual increase in the number of requests, or access from unexpected IP addresses. This information can be used to detect and investigate potential misconfigurations or malicious activity.
  10. CloudFormation events: This query can be used to identify events related to CloudFormation, such as stack creation, updates, or deletions. This information can be used to detect and investigate potential unauthorized changes to your cloud infrastructure.
  11. CloudFront origin access logs: This query can be used to identify access to CloudFront origin servers, such as detecting high request volume, or abnormal requests patterns. This information can be used to detect and investigate potential DDoS attacks or other malicious activity.
  12. Security Group and Network ACL Modifications: This query can be used to identify changes to security groups and network ACLs, including the IP ranges and ports that are open to incoming or outgoing traffic. This information can be used to detect any unauthorized modifications, which could lead to security vulnerability.
  13. Suspicious Elastic IP activity: This query can be used to identify suspicious activity with Elastic IP addresses, such as unexpected release or allocation of IP addresses, or high request volume. This information can be used to detect and investigate potential reconnaissance or DDoS attacks.
  14. High number of Auto-Scaling events: This query can be used to identify a high number of Auto-Scaling events, such as detecting an unusual increase in the number of instances being launched or terminated, this information can be used to detect and investigate potential malicious activity or malicious use of resources.
  15. AWS Resource Tag modifications: This query can be used to identify changes made to the tags associated with an AWS resource, This information can be used to detect any unauthorized modification on those critical resources, which could lead to a security vulnerability.

These are examples of different types of security queries that can be configured on CloudTrail logs to detect potential security issues. It’s important to regularly review these logs and queries, set up automated alerts for suspicious activity and to perform data analysis to detect any potential security issues. It’s also important to use CloudTrail and other AWS services in a way that allows for sufficient monitoring, auditing and alerting on any unusual activities.

Here’s an example of a security query that can be configured on CloudTrail logs to detect unusual resource access patterns:

fields @timestamp, userIdentity.arn, eventName, sourceIPAddress, errorMessage
| sort @timestamp desc
| limit 100
| search 
    (
    userIdentity.type="Root"
    OR 
    (
    userIdentity.type="IAMUser"
    AND 
    eventName="PutBucketAcl" 
    AND 
    errorMessage="AccessDenied"
    )
    OR 
    (
    userIdentity.type="AssumedRole" 
    AND 
    eventName="PutObject" 
    AND 
    sourceIPAddress != "InternalIPRange"
    )
    )

This query will retrieve the last 100 events in your CloudTrail logs, with fields such as timestamp, user identity, event name, source IP address and error message. Then it will search for the following conditions:

  • Root account usage
  • IAM user who makes PutBucketAcl action that is denied
  • Assumed Role that makes PutObject action from IP addresses other than internal IP ranges

These conditions are examples of unusual resource access patterns that could indicate potential security threats, such as unauthorized access or data exfiltration attempts. The specific conditions and resources will depend on the requirements of your organization and the types of security threats that you are trying to detect, also it’s important to regularly review the logs and queries, set up automated alerts for suspicious activity, and perform data analysis to detect any potential security issues.

Here’s an example of a security query that can be configured on CloudTrail logs to detect below things:

1.Unusual resource access pattern

2. Failed login attempts:

3. Modification of security group and network ACLs

4. Suspicious API calls

5.Unusual activity on specific resources

6. Root account activity

7. Changes in CloudTrail Configuration

8. Sensitive information in S3 bucket access

9. Use of a specific IAM user/role

10. CloudFormation events

11.CloudFront origin access logs

12. Security Group and Network ACL Modifications

13. Suspicious Elastic IP activity

14. High number of Auto-Scaling events

15. AWS Resource Tag modifications

fields @timestamp, eventName, userIdentity.arn, sourceIPAddress, errorMessage, requestParameters
| sort @timestamp desc
| limit 1000
| search
    (
    userIdentity.type="Root"
    OR 
    (
    eventName="Get*" 
    AND 
    userIdentity.type="AssumedRole" 
    AND 
    sourceIPAddress != "InternalIPRange"
    )
    OR 
    (
    eventName="Put*" 
    AND 
    errorMessage="AccessDenied"
    )
    OR 
    (
    eventName="Modify*"
    AND 
    (
    requestParameters like "SecurityGroup"
    OR 
    requestParameters like "networkAcl"
    )
    )
    OR 
    (
    eventName="*" 
    AND 
    userIdentity.type="IAMUser" 
    AND 
    sourceIPAddress like "SuspiciousIP"
    )
    OR 
    (
    eventName="Delete*" 
    AND 
    requestParameters like "SensitiveResource"
    )
    OR 
    (
    eventName="Put*" 
    AND 
    userIdentity.arn like "SpecificIAMUserArn"
    )
    OR 
    (
    eventName="*" 
    AND 
    requestParameters like "CloudFormation"
    )
    OR 
    (
    eventName="*" 
    AND 
    requestParameters like "CloudFront"
    )
    OR 
    (
    eventName="*" 
    AND 
    requestParameters like "Auto Scaling"
    )
    OR
    (
    eventName=""
    AND
    requestParameters like "AWSResourceTag"
    )
    OR
    (
    eventName=""
    AND
    errorMessage="FailedAuthentication"
    )
    OR
    (
    eventName=""
    AND
    requestParameters like "S3"
    AND
    requestParameters like "SensitiveInformation"
    )
    OR
    (
    eventName=""
    AND
    requestParameters like "ElasticIP"
    AND
    sourceIPAddress != "InternalIPRange"
    )
    OR
    (
    eventName="*"
    AND
    requestParameters like "CloudTrail"
    AND
    requestParameters like "Configuration"
    )
    )

This query will retrieve the last 1000 events in your CloudTrail logs, with fields such as timestamp, event name, user identity, source IP address, error message, and request parameters. Then it will search for the following conditions:
- Root account usage
- Unusual access patterns by assumed role from non-internal IP range
- Unusual access pattern for Put action that is denied
- Modification of security group and network ACLs
- Suspicious API calls by IAM users from suspicious IP
- Unusual activity on specific resources such as deletion of sensitive resources
- Use of specific IAM user, CloudFormation events, CloudFront origin access logs, Security Group and Network ACL Modifications, Suspicious Elastic IP activity, High number of Auto-Scaling events, AWS Resource Tag modifications, Failed login attempts, Sensitive information in S3 bucket access and Changes in CloudTrail Configuration

These conditions are examples of unusual resource access patterns, Failed login attempts and other indicators of potential security threats, such as unauthorized access or data exfiltration attempts. The specific conditions and resources will depend on the requirements of your organization and the types of security threats that you are trying to detect, also it’s important to regularly review the logs and queries, set up automated alerts for suspicious activity , and perform data analysis to detect any potential security issues.

It’s also important to note that this query serves as an example and may need to be modified to fit the specific needs of your organization. Additionally, it’s important to regularly review and update the security rules and queries, to ensure that they are still relevant and effective in detecting potential security threats. Log analysis can be complex and requires time, resources and expertise to get the best out of it. It is also important to keep track of compliance requirements and regulations that the organization is bound to, and to implement proper security controls and best practices to secure and protect the logs.

In summary, this query provides an example of how CloudTrail logs can be used to detect unusual resource access patterns, Failed login attempts, Modification of security group and network ACLs, Suspicious API calls, Unusual activity on specific resources, Root account activity, Changes in CloudTrail Configuration, Sensitive information in S3 bucket access, Use of a specific IAM user/role, CloudFormation events, CloudFront origin access logs, Security Group and Network ACL Modifications, Suspicious Elastic IP activity, High number of Auto-Scaling events and AWS Resource Tag modifications, but it’s important to keep in mind that your organization’s specific security needs may differ.

References:

  1. “Monitoring AWS CloudTrail Logs” by AWS: https://aws.amazon.com/cloudtrail/features/monitoring/
  2. “Best practices for monitoring and troubleshooting CloudTrail” by AWS: https://aws.amazon.com/cloudtrail/features/best-practices-monitoring/
  3. “AWS Security Best Practices Whitepaper” by AWS: https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
  4. “Security in the AWS Cloud” by AWS: https://d1.awsstatic.com/whitepapers/AWS_Security_Whitepaper.pdf
  5. “AWS Security Best Practices” by DevOps Institute: https://www.devopsinstitute.com/aws-security-best-practices/
  6. “Using CloudTrail Logs to Detect Security Threats: Techniques and Queries” by Leifmadland
  7. “Building a Comprehensive SIEM Solution on AWS” by AWS Blog
  8. “AWS Security Hub: Analyze Your Security Findings” by AWS
  9. “AWS Security Incident Response” by AWS
  10. “AWS Security Best Practices” by Gartner

--

--

Prathamesh Ghumade

Written by Prathamesh Ghumade

70 Followers

Cyber Security Enthusiasts & Researcher

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams