Securing Your Website with AWS CloudTrail

What is AWS CloudTrail?

It is a cloud auditing service that helps you track user activity and API usage in your AWS account. It provides a comprehensive record of all events in your account, which you can use to detect unauthorized access, investigate security incidents, and meet compliance requirements.

Benefits of using AWS Config for cloud security

Auditability: CloudTrail provides a comprehensive audit trail of all API calls, so you can see who is accessing your resources and what they are doing.

Security monitoring: CloudTrail can help you detect unauthorized access and identify suspicious activity, such as failed login attempts or access to sensitive resources.

Compliance: CloudTrail can help you meet compliance requirements by providing a detailed audit trail of all activity, so you can demonstrate to auditors that you are protecting your data.

Operational troubleshooting: CloudTrail can help you troubleshoot operational problems by identifying the root cause of issues, such as performance issues or errors.

Cost optimization: CloudTrail can help you optimize your AWS costs by providing insights into resource utilization, so you can identify resources that are not being used efficiently.

How to use AWS CloudTrail

Case scenario: Your company’s website was hacked. As a security engineer, they are relying on you to find out who did it and ensure that it doesn’t happen again. Members of your team make frequent changes to the website, and sometimes those changes cause issues. Also, this morning, it looks like the website was hacked. Your team is asking if there is a way to track what was changed and who made the changes.

Step 1: Modify the security group and observe the website.

Navigate to your EC2 instance from your console and look for the instance of the website

In the security tab, check your instance security group inbound rule (this rule allows network connection into the instance).

Edit the rule to allow only SSH type of connection from your IP address.

Step 2: Create a CloudTrail log

Navigate to CloudTrail from the management console. In the left panel, select Trails and create a new trail.

Configure your settings

Step 3: Observe the hacked website

Website before hack

Website after hack

Note: Enabling CloudTrail before the attack can give you information about what users have done in your account.

Navigate back to you EC2 instance and monitor your security group inbound rules. Looking at your inbound rules, someone has added a new rule. We can use CloudTrail to trace who added this new rule.

Step 4: Analyzing the CloudTrail logs using Athena

AWS Athena is a serverless, interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL.

Navigate to CloudTrail, select Events from the left panel, create Athena, and use your existing S3 bucket to create

Navigate to AWS Athena and configure setting

Use an SQL query that lists the name of the user, the time when the security group was hacked, the IP address, method of hack (console or programmatic access).

You have found the identity of the hacker 🎉🎉🎉

Step 5: Improving security.

SSH into your terminal or use AWS CLI and remove the hacker

To update your SSH security, enter the following command

sudo ls -l /etc/ssh/sshd_config
sudo vi /etc/ssh/sshd_config " in vi, enter the :set number"

Make sure to set Password Authentication set to No

Run this command to restart the SSH service so that the changes take effect

sudo service sshd restart

In the EC2 console, delete the inbound rule that the hacker created.

Step 6: Fix the website

Run this command on your terminal

cd /var/www/html/cafe/images/
ls -l

From the output we can see a backup file of the original website, use the below command to restore the backup

sudo mv Coffee-and-Pastries.backup Coffee-and-Pastries.jpg

You finally fixed the website 🎉🎉🎉

Step 7: Delete the AWS hacker user

Navigate to the IAM console, select the user, delete the user ‘chaos’

Congratulations! You have successfully resolved the issue 🎉🎉🎉

Conclusion:

AWS CloudTrail was used to investigate and respond to this security incident, demonstrating its ability to be used in conjunction with other AWS services such as AWS Athena and AWS IAM. To protect your data in the cloud, start using AWS CloudTrail today.