Cloud Security
Published in

Cloud Security

Querying CloudTrail with CloudTrailLake

ACM.37: Using CloudTrail Lake to query the actions needed to create zero-trust policies (Zero Trust Policies ~ Part 2)

Should you include data events in your logs?These logs will cost you more, however without them you cannot tell what an attacker accessed in the event of a data breach. A particular company I know that had one of the most notable AWS data breaches to date was about to turn off their data event logging before the breach. Without it, the organization would not have been able to define the specific data the attacker accessed. When you have a data breach you can be fined for each record exposed. Your logs help you reduce those fines by being very specific about what attackers accessed. By having the data event logs the company was able to show the specific S3 objects the attacker accessed with a get action and avoid fines for every object with sensitive data in their S3 buckets.So do you need data events? Depends on if you store sensitive data and if you want to see exactly what an attacker accessed in the event of a security incident. If you have a breach involving PII, PCI, HIPAA or other sensitive data your detailed logs and a good security analyst can reduce the cost of a breach - if you stopped the breach before the attacker got to all the data.
sessionissuer={type=Role, principalid=xxxxxxxxx, arn=arn:aws:iam::xxxxxxx:role/BatchRoleDeployBatchJobCredentials, accountid=xxxxxx, username=BatchRoleDeployBatchJobCredentials},
[{"userIdentity":"{type=AssumedRole, principalid=
creationdate=2022-08-14 17:38:28.000,
- We want the value of an attribute of userIdentity. 
- session context an attribute of userIdentity
- sessionissure is an attribute of sessioncontext
- type is in sessionissuer
Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Teri Radichel

Cloud Security Training and Penetration Testing | GSE, GSEC, GCIH, GCIA, GCPM, GCCC, GREM, GPEN, GXPN | AWS Hero | Infragard | IANS Faculty |